MCSE: ISA Server 2000 Administration Study Guide
William Heldman
SYBEX®
MCSE: ISA Server Administration Study Guide
...
32 downloads
1048 Views
14MB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
MCSE: ISA Server 2000 Administration Study Guide
William Heldman
SYBEX®
MCSE: ISA Server Administration Study Guide
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
MCSE: ISA Server 2000 Administration Study Guide
William Heldman
San Francisco • Paris • Düsseldorf • Soest • London Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Associate Publisher: Neil Edde Acquisitions and Developmental Editor: Jeff Kellum Editor: Linda Recktenwald Production Editor: Molly Glover Technical Editors: Daniel A. Galant, Peter Lenges Book Designer: Bill Gibson Graphic Illustrator: Tony Jonick Electronic Publishing Specialists: Stacey Corbin, Bill Clark Proofreaders: Laurie O’Connell, Yariv Rabinovitch, Amy J. Rasmussen, Nancy Riddiough Indexer: Ted Laux CD Coordinator: Christine Detlefs CD Technician: Kevin Ly Cover Designer: Archer Design Cover Photographer: Natural Selection Copyright © 2001 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. Library of Congress Card Number: 2001094598 ISBN: 0-7821-2933-1 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. Screen reproductions produced with FullShot 99. FullShot 99 © 1991–1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997–1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com. Microsoft ® Internet Explorer © 1996 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft Internet Explorer logo, Windows, Windows NT, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. SYBEX is an independent entity from Microsoft Corporation, and not affiliated with Microsoft Corporation in any manner. This publication may be used in assisting students to prepare for a Microsoft Certified Professional Exam. Neither Microsoft Corporation, its designated review company, nor SYBEX warrants that use of this publication will ensure passing the relevant exam. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
To Our Valued Readers: In recent years, Microsoft’s MCSE program has established itself as the premier computer and networking industry certification. Nearly a quarter of a million IT professionals have attained MCSE status in the NT 4 track. Sybex is proud to have helped thousands of MCSE candidates prepare for their exams over these years, and we are excited about the opportunity to continue to provide people with the skills they’ll need to succeed in the highly competitive IT industry. For the Windows 2000 MCSE track, Microsoft has made it their mission to demand more of exam candidates. Exam developers have gone to great lengths to raise the bar in order to prevent a papercertification syndrome, one in which individuals obtain a certification without a thorough understanding of the technology. Sybex welcomes this new philosophy as we have always advocated a comprehensive instructional approach to certification courseware. It has always been Sybex’s mission to teach exam candidates how new technologies work in the real world, not to simply feed them answers to test questions. Sybex was founded on the premise of providing technical skills to IT professionals, and we have continued to build on that foundation, making significant improvements to our study guides based on feedback from readers, suggestions from instructors, and comments from industry leaders. The depth and breadth of technical knowledge required to obtain Microsoft’s new Windows 2000 MCSE is staggering. Sybex has assembled some of the most technically skilled instructors in the industry to write our study guides, and we’re confident that our Windows 2000 MCSE study guides will meet and exceed the demanding standards both of Microsoft and you, the exam candidate. Good luck in pursuit of your MCSE!
Neil Edde Associate Publisher—Certification Sybex, Inc.
SYBEX Inc. 1151 Marina Village Parkway, Alameda, CA 94501 Tel: 510/523-8233 Fax: 510/523-2373 HTTP://www.sybex.com Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Software License Agreement: Terms and Conditions The media and/or any online materials accompanying this book that are available now or in the future contain programs and/or text files (the “Software”) to be used in connection with the book. SYBEX hereby grants to you a license to use the Software, subject to the terms that follow. Your purchase, acceptance, or use of the Software will constitute your acceptance of such terms. The Software compilation is the property of SYBEX unless otherwise indicated and is protected by copyright to SYBEX or other copyright owner(s) as indicated in the media files (the “Owner(s)”). You are hereby granted a single-user license to use the Software for your personal, noncommercial use only. You may not reproduce, sell, distribute, publish, circulate, or commercially exploit the Software, or any portion thereof, without the written consent of SYBEX and the specific copyright owner(s) of any component software included on this media. In the event that the Software or components include specific license requirements or end-user agreements, statements of condition, disclaimers, limitations or warranties (“End-User License”), those End-User Licenses supersede the terms and conditions herein as to that particular Software component. Your purchase, acceptance, or use of the Software will constitute your acceptance of such End-User Licenses. By purchase, use or acceptance of the Software you further agree to comply with all export laws and regulations of the United States as such laws and regulations may exist from time to time. Software Support Components of the supplemental Software and any offers associated with them may be supported by the specific Owner(s) of that material, but they are not supported by SYBEX. Information regarding any available support may be obtained from the Owner(s) using the information provided in the appropriate read.me files or listed elsewhere on the media.
during this warranty period, you may obtain a replacement of identical format at no charge by sending the defective media, postage prepaid, with proof of purchase to: SYBEX Inc. Customer Service Department 1151 Marina Village Parkway Alameda, CA 94501 WEB: HTTP://WWW.SYBEX.COM After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX. Disclaimer SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fitness for a particular purpose. In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequential, or other damages arising out of the use of or inability to use the Software or its contents even if advised of the possibility of such damage. In the event that the Software includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting. The exclusion of implied warranties is not permitted by some states. Therefore, the above exclusion may not apply to you. This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state. The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agreement of Terms and Conditions. Shareware Distribution
Should the manufacturer(s) or other Owner(s) cease to offer support or decline to honor any offer, SYBEX bears no responsibility. This notice concerning support for the Software is provided for your information only. SYBEX is not the agent or principal of the Owner(s), and SYBEX is in no way responsible for providing any support for the Software, nor is it liable or responsible for any support provided, or not provided, by the Owner(s).
This Software may contain various programs that are distributed as shareware. Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights. If you try a shareware program and continue using it, you are expected to register it. Individual programs differ on details of trial periods, registration, and payment. Please observe the requirements stated in appropriate files.
Warranty
Copy Protection
SYBEX warrants the enclosed media to be free of physical defects for a period of ninety (90) days after purchase. The Software is not available from SYBEX in any other form or media than that enclosed herein or posted to www.sybex.com. If you discover a defect in the media
The Software in whole or in part may or may not be copy-protected or encrypted. However, in all cases, reselling or redistributing these files without authorization is expressly forbidden except as specifically provided for by the Owner(s) therein.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
To my loving wife, Kimmie.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Acknowledgments
I
t takes a lot of people to make a book happen. Sybex is different from other publishers in that the people at Sybex develop the book ideas and then find the authors to match them. Other companies such as Macmillan and Microsoft Press simply wait for authors to “pitch” book ideas to them. If the idea sounds good and fits in with the plan, then the author gets a green light to create an outline and a sample table of contents. At Sybex, the process starts with an acquisitions and developmental editor, who contacts an author to see if he or she is interested in writing the book. My contacting editor at Sybex was Jeff Kellum, truly a very nice man who’s interested in getting good-quality, timely content out to readers. We talked about the ISA book back at last year’s TechMentor conference in San Francisco, but it wasn’t till February or so that I got hooked up with the book. Once a few chapters are in and things are perking along, the book is handed over to a production editor. In this book’s case, that was Molly Glover. Production editors guide the book through the editorial and production processes. Next, the book was assigned to an editor, Linda Recktenwald, and a technical editor (TE), Daniel Galant. Editors go over every facet of the book, making sure the artwork is rendered correctly, handling spelling and grammar corrections, recommending changes to text, making sure the author sticks to the approved style sheets, and so forth. TEs review the material for technical accuracy and ensure that the author has used the latest information available. In Sybex’s MCSE study guides, a second TE reviews the completed manuscript. In this case, the second TE was Peter Lenges. There are numerous behind-the-scenes folks who handle the author’s contracts, render the artwork, lay out the finalized chapters, send the completed work to press, and so forth. Every single person I’ve ever encountered who works for Sybex or is contracting with Sybex has been top-notch in their professionalism and attitude toward the book in progress. I’ve never experienced anything other than top-drawer working relationships with the people at Sybex—which is what keeps me writing for them (as long as they’ll have me). In addition to the people listed above, I’d like to thank Neil Edde, who gave me my first book break, MCSE: Systems Management Server 1.2 Study Guide, and who’s been a pal ever since. Thanks also to Jordan Gold and Rodnay Zaks for their leadership roles at Sybex and for growing the company into the technical publishing force that it is today. Thanks to God for giving good gifts and helping people find a way to use their gifts to benefit others.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
M
icrosoft’s Microsoft Certified Systems Engineer (MCSE) track for Windows 2000 is the premier certification for computer industry professionals. Covering the core technologies around which Microsoft’s future will be built, the MCSE Windows 2000 program is a powerful credential for career advancement. This book has been developed to give you the critical skills and knowledge you need to prepare for one of the core requirements of the new MCSE certification program: Installing, Configuring, and Administering Microsoft ISA Server 2000, Enterprise Edition (Exam 70-227).
The Microsoft Certified Professional Program Since the inception of its certification program, Microsoft has certified over one million people. As the computer network industry grows in both size and complexity, these numbers are sure to grow—and the need for proven ability will also increase. Companies rely on certifications to verify the skills of prospective employees and contractors. Microsoft has developed its Microsoft Certified Professional (MCP) program to give you credentials that verify your ability to work with Microsoft products effectively and professionally. Obtaining your MCP certification requires that you pass any one Microsoft certification exam. Several levels of certification are available based on specific suites of exams. Depending on your areas of interest or experience, you can obtain any of the following MCP credentials: Microsoft Certified System Engineer (MCSE) This certification track is designed for network and systems administrators, network and systems analysts, and technical consultants who work with Microsoft Windows 2000 client and server software. You must take and pass seven exams to obtain your MCSE.
Since this book covers one of the MCSE elective exams, we will discuss the MCSE certification in detail in this Introduction.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xx
Introduction
Microsoft Certified Solution Developer (MCSD) This track is designed for software engineers and developers and technical consultants who primarily use Microsoft development tools. Currently, you can take exams on Visual Basic, Visual C++, and Visual FoxPro. However, with Microsoft’s pending release of Visual Studio 7, you can expect the requirements for this track to change by the end of 2001. You must take and pass four exams to obtain your MCSD. Microsoft Certified Database Administrator (MCDBA) This track is designed for database administrators, developers, and analysts who work with Microsoft SQL Server. As of this printing, you can take exams on either SQL Server 7 or SQL Server 2000, but Microsoft is expected to announce the retirement of SQL Server 7. You must take and pass four exams to achieve MCDBA status. Microsoft Certified Trainer (MCT) The MCT track is designed for any IT professional who develops and teaches Microsoft-approved courses. To become an MCT, you must first obtain your MCSE, MCSD, or MCDBA; then you must take a class at one of the Certified Technical Training Centers. You will also be required to prove your instructional ability. You can do this in various ways: by taking a skills-building or train-the-trainer class; by achieving certification as a trainer from any of a number of vendors; or by becoming a Certified Technical Trainer through the Chauncey Group (www.chauncey.com/ctt.html). Last of all, you will need to complete an MCT application.
As of March 1, 2001, Microsoft no longer offers MCSE NT 4 required exams. Those who are certified in NT 4 have until December 31, 2001, to upgrade their credentials to Windows 2000. In addition, at the time of this printing, Microsoft announced plans for Windows XP and Windows .NET exams. For details on these new exams, visit www.microsoft.com/ trainingandservices.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxi
Windows 2000 Over the next few years, companies around the world will deploy millions of copies of Windows 2000 as the central operating system for their mission-critical networks. This will generate an enormous need for qualified consultants and personnel who can design, deploy, and support Windows 2000 networks. Because Windows 2000 is such a vast product, its administrators must have a wealth of professional skills. As an example of Windows 2000’s complexity, consider that it has more than 35 million lines of code as compared with Windows NT 4’s 12 million! Much of this code is needed to support the wide range of functionality that Windows 2000 offers. The Windows 2000 line comprises several versions:
Windows 2000 Professional This is the client edition of Windows 2000, which is comparable to Windows NT Workstation 4 but also includes the best features of Windows 98, as well as many new features. Windows 2000 Server/Windows 2000 Advanced Server
A server edition of Windows 2000, this version is for small to midsized deployments. Advanced Server supports more memory and processors than Server does.
Windows 2000 Datacenter Server This is a server edition of Windows 2000 for large, widescale deployments and computer clusters. Datacenter Server supports the most memory and processors of the three versions. Companies implementing the expansive Windows 2000 operating system want to be certain that you are the right person for the job being offered. The MCSE track is designed to help you prove that you are.
How Do You Become an MCSE? Attaining MCSE certification has always been a challenge. In the past, students have been able to acquire detailed exam information—even most of the exam questions—from online “brain dumps” and third-party “cram” books or software products. For the new MCSE exams, this is simply not the case.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xxii
Introduction
Microsoft has taken strong steps to protect the security and integrity of the new MCSE track. Now, prospective MSCEs must complete a course of study that develops detailed knowledge about a wide range of topics. It supplies them with the true skills needed, derived from working with Windows 2000 and related software products. The new MCSE program is heavily weighted toward hands-on skills and experience. Microsoft has stated that “nearly half of the core required exams’ content demands that the candidate have troubleshooting skills acquired through hands-on experience and working knowledge.” Fortunately, if you are willing to dedicate the time and effort to learn Windows 2000, you can prepare yourself well for the exams by using the proper tools. By working through this book, you should successfully meet the exam requirements. This book is part of a complete series of Sybex MCSE Study Guides, published by Sybex Inc., that together cover the core Windows 2000 requirements as well as the new Design exams needed to complete your MCSE track. Study Guide titles include the following: ■
■
■
■
■
■
■
■
■
MCSE: Windows 2000 Professional Study Guide, Second Edition, by Lisa Donald with James Chellis (Sybex, 2001) MCSE: Windows 2000 Server Study Guide, Second Edition, by Lisa Donald with James Chellis (Sybex, 2001) MCSE: Windows 2000 Network Infrastructure Administration Study Guide, Second Edition, by Paul Robichaux with James Chellis (Sybex, 2001) MCSE: Windows 2000 Directory Services Administration Study Guide, Second Edition, by Anil Desai with James Chellis (Sybex, 2001) MCSE: Windows 2000 Network Security Design Study Guide, by Gary Govanus and Robert King (Sybex, 2000) MCSE: Windows 2000 Network Infrastructure Design Study Guide, by Bill Heldman (Sybex, 2000) MCSE: Windows 2000 Directory Services Design Study Guide, by Robert King and Gary Govanus (Sybex, 2000) MCSE: Windows 2000 Study Guide, by Todd Phillips (Sybex, 2001) MCSE: SQL Server 2000 Administration Study Guide, by Lance Mortensen, Joe Jorden, and Rick Sawtell (Sybex 2001)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
■
■
■
■
xxiii
MCSE: SQL Server 2000 Design Study Guide, by Marc Israel and Steven Jones (Sybex, 2001) MCSE: Exchange Server 2000 Administration Study Guide, by Walter Glen with James Chellis (Sybex, 2001) MCSE: Exchange Server 2000 Design Study Guide, by William Heldman (Sybex, 2001) MCSE: NT Server 4 Support and Maintenance Study Guide, by Matthew Sheltz with James Chellis (Sybex, 2001)
Exam Requirements Candidates for MCSE certification in Windows 2000 must pass seven exams, including four core operating system exams, one design exam, and two electives, as described in the sections that follow. Design Requirement
Core Requirements
Designing a Windows 2000 Directory Services Infrastructure (70-219)
Windows 2000 Professional (70-210)
Windows 2000 Server (70-215)
Plus one of the following Windows 2000 Network Infrastructure Administration (70-216)
Windows 2000 Directory Services Administration (70-217)
Copyright ©2001 SYBEX, Inc., Alameda, CA
Designing Security for Windows 2000 Network (70-220)
Electives Any of the Design exams not taken for the Design requirement
Plus two of the following
Designing a Windows 2000 Network Infrastructure (70-221)
Designing Web Solutions with Windows 2000 Server Technologies (70-226)
www.sybex.com
Any current Elective exam. Topics include Exchange Server, SQL Server, and ISA Server
xxiv Introduction
For a more detailed description of the Microsoft certification programs, including a list of current and future MCSE electives, check Microsoft’s Training and Certification website at www.microsoft.com/trainingandservices.
The Installing, Configuring, and Administering Microsoft ISA Server, Enterprise Edition Exam The ISA Server exam covers concepts and skills required for the support of ISA Server computers. It emphasizes the following areas of ISA Server support: ■
Creating internal client access rules
■
Configuring the firewall
■
Deploying and configuring clients
■
Troubleshooting the system
■
Setting up H.323 gateways
■
Setting up different VPN connections
■
Enabling web and server publishing
■
Upgrading from Microsoft Proxy Server 2.0
■
Creating logs, alerts, and reports
■
■
Performing monitoring of the system through System Monitor counters Setting up ISA Server arrays
This exam can be quite specific regarding ISA Server requirements and operational settings, and it can be particular about how administrative tasks are performed in the operating system—especially relevant are Internet Information Server (IIS) 5.0 and Routing and Remote Access Service (RRAS). It also focuses on fundamental concepts relating to ISA Server’s operation. Careful study of this book, along with hands-on experience, will help you prepare for this exam.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxv
Microsoft provides exam objectives to give you a very general overview of possible areas of coverage on the Microsoft exams. For your convenience, this Study Guide includes objective listings positioned within the text at points where specific Microsoft exam objectives are discussed. Keep in mind, however, that exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion. Please visit Microsoft’s Training and Certification website (www.microsoft.com/ trainingandservices) for the most current listing of exam objectives.
Types of Exam Questions In an effort to both refine the testing process and protect the quality of its certifications, Microsoft has focused its Windows 2000 exams on real experience and hands-on proficiency. There is a higher emphasis on your past working environments and responsibilities and less emphasis on how well you can memorize. In fact, Microsoft says an MCSE candidate should have at least one year of hands-on experience.
Microsoft will accomplish its goal of protecting the exams’ integrity by regularly adding and removing exam questions, limiting the number of questions that any individual sees in a beta exam, limiting the number of questions delivered to an individual by using adaptive testing, and adding new exam elements.
Exam questions may be in a variety of formats: Depending on which exam you take, you’ll see multiple-choice questions, as well as select-andplace and prioritize-a-list questions. Simulations and case study–based formats are included, as well. You may also find yourself taking what’s called an adaptive format exam. Let’s take a look at the types of exam questions and examine the adaptive testing technique, so that you’ll be prepared for all of the possibilities.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xxvi Introduction
With the release of Windows 2000, Microsoft has stopped providing a detailed score breakdown. This is mostly because of the various and complex question formats. Previously, each question focused on one objective. The Windows 2000 exams, however, contain questions that may be tied to one or more objectives from one or more objective sets. Therefore, grading by objective is almost impossible.
For more information on the various exam question types, go to
www.microsoft.com/trainingandservices/default.asp?PageID= mcp&PageCall=tesinn&SubSite=examinfo.
Multiple-Choice Questions Multiple-choice questions come in two main forms. One is a straightforward question followed by several possible answers, of which one or more is correct. The other type of multiple-choice question is more complex and based on a specific scenario. The scenario may focus on a number of areas or objectives.
You will see many multiple-choice questions in this study guide and on the accompanying CD, as well as on your exam. We’ve tried very hard to include a variety of exhibits in the practice exam and end-of-chapter questions as well so that you have a feel for the way that the test will look to you in real life.
Select-and-Place Questions Select-and-place exam questions involve graphical elements that you must manipulate in order to successfully answer the question. For example, you might see a diagram of a computer network, as shown in the following graphic taken from the select-and-place demo downloaded from Microsoft’s website.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxvii
A typical diagram will show computers and other components next to boxes that contain the text “Place here.” The labels for the boxes represent various computer roles on a network, such as a print server and a file server. Based on information given for each computer, you are asked to select each label and place it in the correct box. You need to place all of the labels correctly. No credit is given for the question if you correctly label only some of the boxes. In another select-and-place problem, you might be asked to put a series of steps in order, by dragging items from boxes on the left to boxes on the right and placing them in the correct order. One other type requires that you drag an item from the left and place it under an item in a column on the right. Simulations Simulations are the kinds of questions that most closely represent actual situations and test the skills you use while working with Microsoft software interfaces. These exam questions include a mock interface on which you are asked to perform certain actions according to a given
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xxviii Introduction
scenario. The simulated interfaces look nearly identical to what you see in the actual product, as shown in this example:
Because of the number of possible errors that can be made on simulations, be sure to consider the following recommendations from Microsoft: ■
■
■
■
Do not change any simulation settings that don’t pertain to the solution directly. When related information has not been provided, assume that the default settings are used. Make sure that your entries are spelled correctly. Close all the simulation application windows after completing the set of tasks in the simulation.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxix
The best way to prepare for simulation questions is to spend time working with the graphical interface of the product on which you will be tested. Case Study–Based Questions Case study–based questions first appeared in the MCSD program. These questions present a scenario with a range of requirements. Based on the information provided, you answer a series of multiple-choice and selectand-place questions. The interface for case study–based questions has a number of tabs, each of which contains information about the scenario.
At present, this type of question appears only in most of the Design exams.
Adaptive Exam Format Microsoft presents many of its exams in an adaptive format. This format is radically different from the conventional format previously used for Microsoft certification exams. Conventional tests are static, containing a fixed number of questions. Adaptive tests change depending on your answers to the questions presented. The number of questions presented in your adaptive test will depend on how long it takes the exam to ascertain your level of ability (according to the statistical measurements on which exam questions are ranked). To determine a test-taker’s level of ability, the exam presents questions in an increasing or decreasing order of difficulty.
Unlike the earlier test format, the adaptive test does not allow you to go back to see a question again. The exam only goes forward. Once you enter your answer, that’s it—you cannot change it. Be very careful before entering your answers. There is no time limit for each individual question (only for the exam as a whole). Your exam may be shortened by correct answers (and lengthened by incorrect answers), so there is no advantage to rushing through questions.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xxx Introduction
Exam Question Development Microsoft follows an exam-development process consisting of eight mandatory phases. The process takes an average of seven months and involves more than 150 specific steps. The MCP exam development consists of the following phases:
Phase 1: Job Analysis Phase 1 is an analysis of all the tasks that make up a specific job function, based on tasks performed by people who are currently performing that job function. This phase also identifies the knowledge, skills, and abilities that relate specifically to the performance area being certified.
Phase 2: Objective Domain Definition The results of the job analysis phase provide the framework used to develop objectives. Development of objectives involves translating the job-function tasks into a comprehensive package of specific and measurable knowledge, skills, and abilities. The resulting list of objectives—the objective domain—is the basis for the development of both the certification exams and the training materials.
Phase 3: Blueprint Survey The final objective domain is transformed into a blueprint survey in which contributors are asked to rate each objective. These contributors may be MCP candidates, appropriately skilled exam-development volunteers, or Microsoft employees. Based on the contributors’ input, the objectives are prioritized and weighted. The actual exam items are written according to the prioritized objectives. Contributors are queried about how they spend their time on the job. If a contributor doesn’t spend an adequate amount of time actually performing the specified job function, his or her data are eliminated from the analysis. The blueprint survey phase helps determine which objectives to measure, as well as the appropriate number and types of items to include on the exam. Phase 4: Item Development A pool of items is developed to measure the blueprinted objective domain. The number and types of items to be written are based on the results of the blueprint survey.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxxi
Phase 5: Alpha Review and Item Revision During this phase, a panel of technical and job-function experts reviews each item for technical accuracy. The panel then answers each item and reaches a consensus on all technical issues. Once the items have been verified as being technically accurate, they are edited to ensure that they are expressed in the clearest language possible.
Phase 6: Beta Exam The reviewed and edited items are collected into beta exams. Based on the responses of all beta participants, Microsoft performs a statistical analysis to verify the validity of the exam items and to determine which items will be used in the certification exam. Once the analysis has been completed, the items are distributed into multiple parallel forms, or versions, of the final certification exam. Phase 7: Item Selection and Cut-Score Setting The results of the beta exams are analyzed to determine which items will be included in the certification exam. This determination is based on many factors, including item difficulty and relevance. During this phase, a panel of job-function experts determines the cut score (minimum passing score) for the exams. The cut score differs from exam to exam because it is based on an item-by-item determination of the percentage of candidates who answered the item correctly and who would be expected to answer the item correctly.
Phase 8: Live Exam In the final phase, the exams are given to candidates. MCP exams are administered by Prometric and Virtual University Enterprises (VUE).
Microsoft will regularly add and remove questions from the exams. This is called item seeding. It is part of the effort to make it more difficult for individuals to merely memorize exam questions that were passed along by previous test-takers.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xxxii Introduction
Tips for Taking the ISA Server Exam Here are some general tips for achieving success on your certification exam: ■
■
■
■
■
Arrive early at the exam center so that you can relax and review your study materials. During this final review, you can look over tables and lists of exam-related information. Read the questions carefully. Don’t be tempted to jump to an early conclusion. Make sure you know exactly what the question is asking. Answer all questions. Remember that the adaptive format does not allow you to return to a question. If you happen to be taking an adaptive exam, be very careful before entering your answer. Because your exam may be shortened by correct answers (and lengthened by incorrect answers), there is no advantage to rushing through questions. If you happen to take a test with simulations, do not change settings that are not directly related to the question. Also, assume default settings if the question does not specify or imply which settings are used. For questions you’re not sure about, use a process of elimination to get rid of the obviously incorrect answers first. This improves your odds of selecting the correct answer when you need to make an educated guess.
Exam Registration You may take the Microsoft exams at any of more than 1,000 Authorized Prometric Testing Centers (APTCs) and VUE Testing Centers around the world. For the location of a testing center near you, call Prometric at 800755-EXAM (755-3926), or call VUE at 888-837-8616. Outside the United States and Canada, contact your local Prometric or VUE registration center. Find out the number of the exam you want to take, and then register with the Prometric or VUE registration center nearest to you. At this point, you will be asked for advance payment for the exam. The exams are $100 each and you must take them within one year of payment. You can schedule exams up to six weeks in advance or as late as one working day prior to the date of the exam. You can cancel or reschedule your exam if you contact the center at least two working days prior to the exam. Same-day
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxxiii
registration is available in some locations, subject to space availability. Where same-day registration is available, you must register a minimum of two hours before test time.
You may also register for your exams online at www.prometric.com or www.vue.com.
When you schedule the exam, you will be provided with instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you will receive a registration and payment confirmation letter from Prometric or VUE. Microsoft requires certification candidates to accept the terms of a Non-Disclosure Agreement before taking certification exams.
What Does This Book Cover? This book contains detailed explanations, hands-on exercises, and review questions to test your knowledge. Think of this book as your complete guide to ISA Server. It begins by covering the most basic concepts, such as the features of proxy servers and firewalls and how to install and configure ISA Server. Next, you will learn how to perform important tasks, including the following: ■
Setting up access rules and IP packet filters
■
Creating client VPN access points
■
Configuring intrusion detection
■
Setting up H.323 gateways
You will also learn how to configure and monitor various aspects of ISA Server, tune the server’s performance, work with web and server publishing, and troubleshoot your system. Throughout the book, you will be guided through hands-on exercises, which give you practical experience for each exam objective. At the end of each chapter, you’ll find a summary of the topics covered in the chapter, which also includes a list of the key terms used in that chapter. The key terms represent not only the terminology that you should recognize, but also the underlying concepts that you should understand to pass the exam. All of the key terms are defined in the glossary at the back of the study guide.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xxxiv Introduction
Finally, each chapter concludes with 20 review questions that test your knowledge of the information covered. Many more questions, as well as multimedia demonstrations of the hands-on exercises, are included on the CD that accompanies this book, as explained in the “What’s on the CD?” section.
The topics covered in this book map directly to Microsoft’s official exam objectives. Each exam objective is covered completely.
If you want to acquire a solid foundation in ISA Server, this book is for you. You’ll find clear explanations of the fundamental concepts you need to grasp and plenty of help to achieve the high level of professional competency you need to succeed in your chosen field. If you want to become certified as an MCSE, this book is definitely for you. However, if you just want to attempt to pass the exam without really understanding Windows 2000, this Study Guide is not for you. It is written for people who want to acquire hands-on skills and in-depth knowledge of Windows 2000.
How to Use This Book What makes a Sybex Study Guide the book of choice for over 100,000 MCSEs? We took into account not only what you need to know to pass the exam, but what you need to know to take what you’ve learned and apply it in the real world. Each book contains the following: Objective-by-objective coverage of the topics you need to know Each chapter lists the objectives covered in that chapter, followed by detailed discussion of each objective. Assessment Test Directly following this Introduction is an Assessment Test that you should take. It is designed to help you determine how much you already know about Windows 2000. Each question is tied to a topic discussed in the book. Using the results of the Assessment test, you can figure out the areas where you need to focus your study. Of course, we do recommend you read the entire book. Exam Essentials To highlight what you learn, you’ll find a list of Exam Essentials at the end of each chapter. The Exam Essentials section
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxxv
briefly highlights the topics that need your particular attention as you prepare for the exam. Key Terms and Glossary Throughout each chapter, you will be introduced to important terms and concepts that you will need to know for the exam. These terms appear in italic within the chapters, and a list of the Key Terms appears just after the Exam Essentials. At the end of the book, a detailed Glossary gives definitions for these terms, as well as other general terms you should know. Review questions, complete with detailed explanations Each chapter is followed by a set of Review Questions that test what you learned in the chapter. The questions are written with the exam in mind, meaning that they are designed to have the same look and feel of what you’ll see on the exam. Questions are multiple choice and include exhibits, just like you’ll see on the exam. Hands-on exercises In each chapter, you’ll find exercises designed to give you the important hands-on experience that is critical for your exam preparation. The exercises support the topics of the chapter, and they walk you through the steps necessary to perform a particular function. Real World Scenarios Because reading a book isn’t enough for you to learn how to apply these topics in your every-day duties, we have provided Real World Scenarios in special sidebars. These explain when and why a particular solution would make sense, in a working environment you’d actually encounter. Interactive CD Every Sybex Study Guide comes with a CD complete with the Sybex EdgeTest test engine and electronic flashcards for use with PCs and Palm devices. Details are in the following section.
What’s on the CD? With this new member of our best-selling MCSE Study Guide series, we are including quite an array of training resources. The CD offers hundreds of review questions, two bonus exams, and flashcards to help you study for the exam. We have also included the complete contents of the Study Guide in electronic form. The CD’s resources are described here: The Sybex Ebook for ISA Server Many people like the convenience of being able to carry their whole study guide on a CD. They also like being able to search the text via computer to find specific information
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xxxvi Introduction
quickly and easily. For these reasons, the entire contents of this Study Guide are supplied on the CD, in PDF format. We’ve also included Adobe Acrobat Reader, which provides the interface for the PDF contents as well as the search capabilities. The Sybex MCSE EdgeTests The EdgeTests are a collection of multiple-choice questions that will help you prepare for your exam. There are four sets of questions: ■
■
■
■
Two bonus exams designed to simulate the actual live exam. An adaptive test simulator that will give the feel for how adaptive testing works. All the questions from the Study Guide, presented in a test engine for your review. You can review questions by chapter, by objective, or you can take a random test. The Assessment Test.
Here is a sample screen from the Sybex MCSE Edge Tests:
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxxvii
Sybex MCSE Flashcards for PCs and Palm Devices The “flashcard” style of question offers an effective way to quickly and efficiently test your understanding of the fundamental concepts covered in the exam. The Sybex MCSE Flashcards set consists of more than 150 questions presented in a special engine developed specifically for this study guide series. Here’s what the Sybex MCSE Flashcards interface looks like:
Because of the high demand for a product that will run on Palm devices, we have also developed, in conjunction with Land-J Technologies, a version of the flashcard questions that you can take with you on your Palm OS PDA (including the PalmPilot and Handspring’s Visor).
How Do You Use This Book? This book provides a solid foundation for the serious effort of preparing for the exam. To best benefit from this book, you may wish to use the following study method: 1. Take the Assessment Test to identify your weak areas. 2. Study each chapter carefully. Do your best to fully understand the
information.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xxxviii Introduction
3. Complete all the hands-on exercises in the chapter, referring back to
the text as necessary so that you understand each step you take.
In order to complete the exercises in this book, you will need ISA Server installed and your hardware should meet the minimum hardware requirements for ISA Server. See Chapter 2, “ISA Server 2000 Installation,” for the minimum and recommended system requirements.
4. Read over the Real World Scenarios, to improve your understanding
of how to use what you learn in the book. 5. Study the Exam Essentials and Key Terms to make sure you are
familiar with the areas you need to focus on. 6. Answer the review questions at the end of each chapter. If you prefer
to answer the questions in a timed and graded format, install the Edge Tests from the book’s CD and answer the chapter questions there instead of in the book. 7. Take note of the questions you did not understand, and study the
corresponding sections of the book again. 8. Go back over the Exam Essentials and Key Terms. 9. Go through the Study Guide’s other training resources, which are
included on the book’s CD. These include electronic flashcards, the electronic version of the chapter review question (try taking them by objective), and the two bonus exams. To learn all the material covered in this book, you will need to study regularly and with discipline. Try to set aside the same time every day to study, and select a comfortable and quiet place in which to do it. If you work hard, you will be surprised at how quickly you learn this material. Good luck!
Contacts and Resources To find out more about Microsoft Education and Certification materials and programs, to register with Prometric or VUE, or to obtain other useful
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction
xxxix
certification information and additional study resources, check the following resources: Microsoft Training and Certification Home Page www.microsoft.com/trainingandservices
This website provides information about the MCP program and exams. You can also order the latest Microsoft Roadmap to Education and Certification. Microsoft TechNet Technical Information Network www.microsoft.com/technet
800-344-2121 Use this website or phone number to contact support professionals and system administrators. Outside the United States and Canada, contact your local Microsoft subsidiary for information. Palm Pilot Training Product Development: Land-J www.land-j.com 407-359-2217 Land-J Technologies is a consulting and programming business currently specializing in application development for the 3Com PalmPilot Personal Digital Assistant. Land-J developed the Palm version of the Edge Tests, which is included on the CD that accompanies this Study Guide. Prometric
www.prometric.com
800-755-3936 Contact Prometric to register to take an MCP exam at any of more than 800 Prometric Testing Centers around the world. Virtual University Enterprises (VUE) www.vue.com 888-837-8616 Contact the VUE registration center to register to take an MCP exam at one of the VUE Testing Centers. MCP Magazine Online
www.mcpmag.com
Microsoft Certified Professional Magazine is a well-respected publication that focues on Windows certification. This site hosts chats and
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xl
Introduction
discussion forums, and tracks news related to the MCSE program. Some of the services cost a fee, but they are well worth it. Windows 2000 Magazine
www.windows2000mag.com
You can subscribe to this magazine or read free articles at the website. The study resource provides general information on Windows 2000. Cramsession on Brainbuzz.com cramsession.brainbuzz.com Cramsession is an online community focusing on all IT certification programs. In addition to discussion boards and job locators, you can download one of a number of free cramsessions, which are nice supplements to any study approach you take.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessment Test 1. You are the administrator of an ISA array. What two things must
you do to enable reports? A. Create new report containers B. Enable reports C. Create report jobs D. Enable logs E. Enable report jobs 2. The three log files that are created in ISA Server are
_______________, __________, and ___________. A. IPPEXTnyyyymmdd.log B. ISAEXTnyyyymmdd.log C. WEBEXTnyyyymmdd.log D. FWSEXTnyyyymmdd.log 3. You would use the _______________ utility to figure out how much
of the allotted disk space the cache is using. A. Network Monitor B. Performance Monitor C. System Meter D. Health Meter E. Cache Monitor 4. What two ways do you have of saving space on the disk that the log
files write to? A. Compress the files. B. Overwrite the files on a schedule. C. Allow only a set number of files. D. Allow all servers in the array to write to a single log file. E. Truncate logging on checkpoint. Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xlii
Assessment Test
5. Can ISA Servers work in tandem with MS Proxy Server 2.0
installations? A. Yes, but Microsoft Proxy Server 2.0 computers have to have an
ISA Server at the top of the hierarchy. B. Yes; no modifications are required. C. Yes, but you must upgrade the Microsoft Proxy Server 2.0
computers to ISA Server. D. No. 6. Name some reasons to upgrade your MS Proxy Server 2.0 array to
an ISA Server array. (Choose all that apply.) A. ISA Server integrates with Exchange 2000 for alerting and
messaging purposes. B. ISA Server integrates with Active Directory. C. ISA Server arrays can be managed much more granularly. D. ISA Server arrays are far more secure. 7. What are some new features of ISA Server? (Choose all that apply.) A. Stateful inspections B. Packet filtering C. Intrusion detection D. Web filtering 8. In an ideal reverse-hosting scenario, how many ISA Servers do you
require? A. 1 B. 2 C. 3 D. 4
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessment Test
xliii
9. What does a packet filter do? A. It modifies the contents of certain fields in all incoming packets. B. It changes source IP addresses to NAT-ted addresses. C. It watches for packets of certain protocol types and allows or
disallows them. D. It redirects certain incoming packets to a different computer on
the network. 10. What are the two policies that can be used by members of an ISA
Server array? A. Enterprise B. Secure C. Network Load Balancing D. Array 11. You would use __________ coupled with ________ to provide robust
cache lookups over several ISA Servers. A. Network Load Balancing B. Cache Array Routing Protocol (CARP) C. Enterprise policies D. Arrays 12. Enterprise policies have two default schedule choices. What are
they? A. Work Hours B. Weekdays C. Weekends D. Holidays E. All Hours
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xliv
Assessment Test
13. What are the requirements for implementing an ISA Server array
using Network Load Balancing? (Choose all that apply.) A. Windows NT 4 Option Pack B. Advanced Server or DataCenter Server C. Windows 2000 domain D. Active Directory schema extensions E. Network Load Balancing installed and configured F. ISA Server Standard or Enterprise Edition 14. What is the product of running the Remote VPN Wizard? A. A VPC file B. A VPN file C. MSPLAT.TXT D. LOCALLAT.TXT 15. Static routing is best configured by using which tools? (Select all that
apply.) A. The ISA MMC B. The RRAS MMC C. The command prompt D. RIP and OSPF 16. Digital certificates are issued by which Microsoft product? A. Windows 2000 Server B. Internet Information Server C. ISA Server 2000 D. Certificate Server
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessment Test
xlv
17. Allowing a client to connect to an RRAS server that resides behind
an ISA Server is referred to as what? A. Convergence B. Connection C. VPN pass-through D. Pass-through authentication 18. When upgrading from MS Proxy Server 2.0 to ISA Server you must
_________ the Proxy ________, __________ the Proxy _________, install Windows 2000 SP1 and then _________ _______ ________. A. Backup, configuration, stop, services, install ISA Server B. Stop, service, remove, server, install ISA Server C. Remove, array, stop, services, deinstall Proxy Server D. Remove, array, stop, services, install ISA Server E. Stop, service, remove, server, deinstall Proxy Server 19. ______________ of MS Proxy Server 2.0 servers and ISA Servers is
supported. A. Shared clients B. Mixed chaining C. Logical looping D. Secure tunneling 20. What configuration mode would you select if you wanted to
provide web publishing, allow for IP packet filtering, and provide web-caching functionality? A. Cache B. Integrated C. Firewall D. Hardened
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xlvi
Assessment Test
21. What will be the consequences of entering the address of the
external interface in your ISA Server’s LAT? A. Nothing. B. You’ll be unable to configure IP packet filter rules. C. You’ll be unable to publish web servers. D. The ISA Server service will not start. 22. What are the four supported ISA Server client computer clients? A. Firewall client B. Checkpoint client C. RealSecure client D. Web proxy client E. SecureNAT client F. Winsock Proxy client 23. Linux computers can make use of only the _____________ and
_________ clients. A. Firewall B. Web proxy C. SecureNAT D. Winsock Proxy 24. In order to allow Firewall and SecureNAT clients to make use of the
ISA Server’s web cache, you’d configure which ISA Server filter? A. Web caching B. URL caching C. HTTP Redirector D. Cache Redirector
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessment Test
xlvii
25. You’re the administrator of a mid-sized network consisting of
Windows, Linux, Unix, and Macintosh clients. Which of the statements below is true about your ISA Server client installation? A. You can use only the SecureNAT client in this heterogeneous
network. B. You can use only the SecureNAT and Web proxy clients in this
heterogeneous network. C. You can use all three clients in this heterogeneous network. D. You can use only the SecureNAT and Web proxy client in this
heterogeneous network. 26. You use _________ _________and __________ _________ to provide
dial-up connectivity for ISA Server. A. DUN connectoids, dial-up entries B. RRAS service, DUN connectoids C. RRAS service, ISA networking D. RRAS service, routing rules 27. What three things do you need to completely open the ISA Server
for testing purposes? A. IP packet filter B. Routing rule C. Protocol rule D. Site and content rule E. Destination set F. Client set
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
xlviii
Assessment Test
28. You’re setting up your ISA Server to deny all outgoing protocols
with the exception of common Internet traffic. What protocols will you filter on? (Choose all that apply.) A. FTP B. HTTP C. HTTPS D. GOPHER 29. True or false: In addition to using the Web Publishing Wizard, you’ll
have to set up IP packet filters for the protocols you intend to use with your published website. A. True B. False 30. You use _________ to provide autodetection characteristics for
DHCP servers. A. WPAD B. WOMA C. ISAB D. WRUD 31. In order to set up a VPN connection between two ISA Server array
nodes, you must run which wizards? (Choose all that apply.) A. Protocol B. Local C. Remote D. Content
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Assessment Test
xlix
32. You cannot set up any dial-up connections on your ISA Server until
you have completed which of the following tasks? A. Installed RRAS B. Set up a Remote Access Policy C. Run the ISA Server Remote Access Wizard D. Created a phonebook entry 33. From the list below, select the common diagnostic and security
utilities that come with Windows 2000 and can be used with ISA Server. (Choose all that apply.) A. Telnet B. Netstat C. System Metrics D. Network Monitor E. System Manager
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Assessment Test 1. C, E. The five ISA reports are canned—there’s no enabling required.
However, you must create report jobs and set up the schedule they’ll use before a report can work for you. You also need to make sure that the report jobs are enabled (which they are by default). For more information, see Chapter 7. 2. A, C, D. The three logs are IP Packets, Web Proxy Service, and
Firewall Service. Each log file’s first three letters denote which log it’s reporting on: IPP for IP Packet, WEB for Web Proxy, and FWS for Firewall Service. The n changes, depending on whether you’re running a daily (D), weekly (W), monthly (M), or yearly (Y) log. For more information, see Chapter 7. 3. B. You’ll use the ISA Performance Monitor to view many of the
counters that are added to Windows 2000’s System Monitor at installation time. Among the pre-configured counters are those that help you decide how well the cache is doing. For more information, see Chapter 7. 4. A, C. Your two choices are to compress the files (enabled by default)
and limit the number of files that can be written to disk (disabled by default—if enabled, the default number is 7). For more information, see Chapter 7. 5. A. Microsoft has always been good about providing backward-
compatibility options, and this is so with MS Proxy Server installations you’re considering upgrading to ISA Server. ISA Server can play in the sandbox with stand-alone MS Proxy Server installations or with Proxy Server arrays. See Chapters 1 and 2 for more information. 6. B, C, D. An ISA Server array (not a stand-alone ISA Server) can
integrate with Active Directory, providing a “one-stop shopping” environment through the Microsoft Management Console for management and configuration. You’re afforded quite a bit more granularity in the way that you can set up and manage an ISA Server
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Assessment Test
li
array over an MS Proxy Server array. ISA Server’s intrusion detection and enhanced packet filtering methods make it a better choice than Microsoft Proxy Server 2.0. See Chapters 1 and 5 for more information. 7. A, C. While ISA Server is capable of web filtering, it requires that
you buy a third-party tool to assist with this activity, and web filtering really isn’t new—Microsoft Proxy Server 2.0 was capable of it as well. Proxy Server could handle packet filtering as well, so there’s nothing new here. Stateful inspections (the ability of ISA Server to examine the packets coming in) make a decision on whether they’re to be allowed or not. Opening the required port then closing it after the packet(s) have gone through is a new feature. Intrusion detection is a much-welcomed addition as well. See Chapter 1 for more information. 8. B. Reverse hosting is the notion of putting your web servers on
the DMZ behind an ISA Server, protecting them from unwanted protocols and from intruder attacks. Ideally, you would also want an ISA Server between your private network and the DMZ, thus requiring a minimum of two ISA Servers to really fight the good fight. See Chapter 1 for more information. 9. C. The idea behind a packet filter is to have it watch for packets of
a certain protocol type and then make a determination about what to do with packets of that type. For example, you may want to disallow any incoming packets that are of ICMP (ping) in nature—a very common packet filter. See Chapter 1 for more information. 10. A, D. When configuring ISA Server computers in an array, you
can choose between array-based policies, in which case each array member is free to have its own unique policies established, and enterprise policies, in which the policy configured for the enterprise applies to all members of the array. See Chapter 5 for more information. 11. D, B. You set up ISA Server arrays and couple them with the Cache
Array Routing Protocol (CARP) to provide URL cache lookups across two or more ISA Servers. See Chapter 5 for more information.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
lii
Answers to Assessment Test
12. A, C. There are only two schedules affiliated with enterprise policies:
Work Hours and Weekends. You are free to define other schedules or modify the existing two to fit your needs. See Chapter 5 for more information. 13. B, C, D, E. ISA Server arrays won’t work in an NT 4 domain, with
or without the NT 4 Option Pack (for clustering and NLB). You require a Windows 2000 Server to install ISA Server and you must install to an existing Windows 2000 domain. You’ll also have to use ISA Server Enterprise Edition to extend the AD schema to support ISA Server arrays. See Chapter 5 for more information. 14. A. A VPC file is created when the Remote VPN Wizard is run. For
more information, see Chapter 4. 15. B, C. The RRAS MMC and the command prompt are the tools
that can configure static routing tables. For more information, see Chapter 4. 16. D. Certificate Server acts as a Certificate Authority when installed to
provide certificates to clients for encryption. For more information, see Chapter 4. 17. C. VPN pass-through allows a VPN client to connect to a VPN
server behind an ISA Server firewall. For more information, see Chapter 4. 18. A. First, back up the Proxy Server configuration. Next, stop the
key Proxy services: wspsrv, mspadmin, mailalrt, and w3svc. Next, upgrade to Windows 2000 SP1. Finally, install ISA Server. Note that if you have an MS Proxy array, you’ll want to remove all members from the array before going forward with your upgrades. For more information, see Chapter 2. 19. B. MS Proxy Server can chain to ISA Servers, and ISA Servers can
chain to Proxy Servers. For more information, see Chapter 2. 20. B. With integrated mode, you can provide web caching as well as the
full cadre of firewall services. For more information, see Chapter 2.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Assessment Test
liii
21. D. The ISA Server service not starting is indicative of keying the
external interface’s address into the LAT. It’s extremely important to be careful when you arrive at the installation phase where you are configuring the LAT. For more information, see Chapter 2. 22. A, D, E, F. While the RealSecure client can be purchased and added
to the ISA Server, it is not a client computer client. Microsoft Proxy Server 2.0’s Winsock Proxy client is backwardly supported within ISA Server—the Winsock Proxy client turned into the Firewall client in ISA. See Chapter 6 for more information. 23. B, C. Linux clients can use the SecureNAT client because it merely
requires setting the client’s default gateway to the address of the internal interface of the ISA Server. Provided the browser that the Linux client is using supports the configuration of proxy server information, the Web proxy client can be used as well. See Chapter 6 for more information. 24. C. The HTTP Redirector filter is required if you want your Firewall
and SecureNAT clients to make use of the ISA Server’s web cache. The ISA Server must be installed in integrated mode in order to provide this filter. See Chapter 6 for more information. 25. C. ISA Server doesn’t care what kind of client you’re configuring
as long as you configure it correctly. You’d probably use the SecureNAT and Web proxy clients for your Linux, Unix, and Mac clients (as long as they used TCP/IP and had browsers that supported the client) and perhaps consider the Firewall client for your Windows users. See Chapter 6 for more information. 26. A. You’ll have to set up a connectoid through dial-up networking
(DUN) and dial-up entries in the ISA Management console to facilitate this capability. For more information, see Chapter 3. 27. A, B, C. You’ll create a completely open site and content rule that
allows all computers all the time to all sites. You’ll also create an IP packet filter that opens up all protocols. You’ll create a protocol rule that includes all protocols. For more information, see Chapter 3.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
liv
Answers to Assessment Test
28. A, B, C. It’s easy to set up a protocol rule and an IP packet filter
that allow any access using these outgoing protocols. For more information, see Chapter 3. 29. B. One of the great things about the Web Publishing Wizard is that
it sets up everything you need to begin publishing your website. You don’t need to worry about configuring your own set of protocol rules in addition to the work that it does. And, best of all, the rules it creates are dynamic, opening the ports when needed, closing them when not. For more information, see Chapter 3. 30. A. The Web Proxy Autodetection (WPAD) protocol allows you to
put an entry into your DHCP servers so that clients utilizing DHCP automatically receive their appropriate ISA Server settings. See Chapter 8 for more information. 31. B, C. There is a Local VPN Wizard that you run at the local ISA
Server and a Remote VPN Wizard that you run at the remote server. The remote server reads the local server’s VPC (VPN Configuration) file in order to facilitate the connection. Certain caveats apply: You must have a secondary DNS box at the remote site, and it must be a member of the local ISA Server’s array. See Chapter 8 for more information. 32. A, B, D. RRAS must be installed in order for dial-up connections to
work within ISA Server. You must also have a valid phonebook entry, and you must set up a remote access policy. There’s no such thing as the ISA Server Remote Access Wizard. See Chapter 8 for more information. 33. A, B, D. Netstat will, by far, be the most useful to you in terms of
figuring out which protocols are being used and on what ports. You can also use third-party port and protocol analyzers. See Chapter 8 for more information.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
1
Introduction to ISA Server
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
I
f you’ve not worked with proxy server, firewall, or web-filtering software before, you’re in for a treat as you work through this book. What interesting software! Think for a moment about what it might take to keep a person inside the private network from getting to websites that the company says should be off-limits. For example, suppose you want to establish a policy that keeps people from going to adult-oriented websites. But it seems that there must be 20 million of them—and more available each day! How are you supposed to keep track of all that? What about the efforts you need to go through to keep people from getting into your private network from the Internet? Or how about keeping outside people from attacking your firewall with scurrilous Denial of Service (DoS), User Data Protocol (UDP) bomb, or other disruptive attacks? What about if you’re running a network that uses one of the private IP address ranges? When users go out onto the Internet, they need to be represented by a valid IP address. How does that happen? You can see by the above questions where we’re headed with this book. Internet Security and Acceleration (ISA) Server 2000 does all of the above and more. It’s a big grown-up Microsoft Proxy Server 2.0, complete with most or all of the things that Proxy needed to make it play in the firewall world. ISA Server is a certified firewall, having achieved ICSA Labs certification on February 14, 2001. (See www.icsalabs.com for more information about ICSA.) This book will introduce you to ISA Server 2000, what it does, how it works, methods of configuration, modes of operation, troubleshooting techniques, reporting options, and dozens of other things you need to know to pass the certification exam and, more important, to make the software work correctly in your network. We start off with a basic chapter that talks about the whats and whys of this product. This chapter is an excellent place to clear up any confusion you may have about different types of server security products. Chapter 2,
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
The Need for Corporate Security 3
“ISA Server 2000 Installation,” and beyond begin to segue into the nuts and bolts of ISA Server. Because we include exercises in the chapters, you may want to have a test server handy for your lab testing as you go through this book, preferably one that can connect to the Internet (even if through dial-up). You’ll also need the ISA Server CD. Your lab server will need to be equipped with Windows 2000 Server, Advanced Server, or DataCenter Server—ISA won’t work on NT 4.0 (though it will work in NT 4.0 networks). (Server and Advanced Server require SP1.)
The Need for Corporate Security
W
e’re at a juncture in network computing where we face a highly perplexing phenomenon: We want to let our users out onto the Internet and bring the Internet in to our users because this capability facilitates so many great things. But, as we all know, the Internet has millions of people on it who have less than your company’s best interest at heart. While Sally might think, for example, that she’s gotten a really clever little screen background in her e-mail, what she’s not aware of is that the code behind the scenes is checking her address book, deleting key files on her computer, and fixing to send itself to others in order to do the same thing. There are those who get their kicks by trying to bring corporate websites to their knees—to stop them from functioning entirely. Big players have had it happen to them—Microsoft, Amazon, and others have experienced firsthand this kind of attack. Some people maintain that 70–80 percent of a network’s security problems come from within, not from without. The Sallys of the world make it difficult for administrators because unless you have extremely rigid policies in place, you just don’t know what somebody’s going to try to put on their computer, either by bringing it in from home or by downloading it through the web. And it goes without saying what a hassle e-mail administrators have gone through of late, what with the I Love You virus and other highly dangerous pieces of viral code that manage to slink their way through corporate e-mail servers all over the world. Today’s enterprise model dictates enterprise thinking and enterprise security modeling. Microsoft ISA Server is specifically designed to be an integral part of an enterprise security model. You use Windows 2000 Professional with policies in place to keep users from adding unwanted
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
4
Chapter 1
■
Introduction to ISA Server
software to their PCs. You use an antivirus policy with a good third-party solution to keep viruses from coming through the Internet, through e-mail, or from being put onto client computers. You use ISA Servers to manage the edge of your network, that scary dropping-off point between the Internet and your private corporate network. (Web servers live between the edge of the network and the Internet in a place we lovingly call the demilitarized zone, or DMZ.) Figure 1.1 shows this scenario. A DMZ is the area where the internal network is separated by a firewall, which in turn is separated from the Internet by a firewall. There are two methods of creating a DMZ. You can set up a firewall that interfaces with the Internet, put your web and other DMZ application servers behind it, and then put another firewall behind the DMZ to protect your internal network. Or you can put three network cards in your firewall server (called a triple-homed server), one leg of which goes to the DMZ, one to the Internet, and one to the internal network. Either way, you’re protecting both the DMZ and the internal network by use of a firewall. Web servers rarely sit on the DMZ without benefit of a forward firewall. FIGURE 1.1
A standard private/DMZ/Internet network layout
Private network
Edge devices: Routers Firewalls Proxy servers
DMZ
Internet
This figure represents only one design; there are others, but you get the picture. There’s at least one and probably more devices that shield the edge of your private network from Internet users and hackers. You need a router to make determinations about what packets need to go where and a firewall to prevent scurrilous individuals from trying to get into your private network and other accoutrements.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
The Need for Corporate Security 5
The “Lookie What I Have Here” Manager Monica is the network manager for a mid-sized insurance company of around one thousand users. She has a fairly robust antivirus policy in place but doesn’t have the staff she needs to make sure that all computers are completely updated with the latest-and-greatest virus signature files on a routine basis. Because of this, some PCs get out of date and thus become privy to new viruses that may come down the line. Monica receives news that there is a new virus out in the world—one that ships itself through e-mail as an image document—a picture of a provocatively posed female model in a bikini. Most e-mail server antivirus-scanning software can be set to disallow any kind of file, but Monica has her e-mail server set only to disallow EXE files from coming in the door. Since this new graphic doesn’t have an .exe extension, she’s not filtering for it. The file makes its way into the internal network and one of the managers opens it. While the manager admires the bikini-clad young woman in the picture, the code behind the scenes reads his e-mail address book and sends an e-mail message out to each of the users listed therein that says, “Look what I found!” The code also deletes key system DLL files and then exits. As fate would have it, this manager doesn’t have the newest antivirusscanning software on his PC, and so when he’s finished viewing the image his system halts. Further, the system won’t reboot and a technician is called out to rebuild it. Others receive the image but don’t open it, while still other have upto-date antivirus software on their computers and receive evidence that a file was at one time attached but is now no longer available (having been cleaned by the antivirus software). Of the 450 computers that the image sent itself to, 90 of them did not have up-to-date virus scanners, 30 people opened the image, and hundreds of e-mail documents with the image in it went out onto the
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
6
Chapter 1
■
Introduction to ISA Server
Internet to e-mail users listed in people’s address books, where the process started all over. Ronnie, the hacker who wrote the virus code, thought it was cool that his virus made it all the way to the major antivirus manufacturer’s website of “malicious virus” listings.
What Is a Proxy Server?
T
he word proxy means an agent or a substitute. A proxy server’s primary purpose is to hide the IP addresses of internal clients from the Internet. You might need to do this because you’re running a reserved IP address range on your private network (192.168.y.z, for example) or, even if you do have legitimate external addresses, because you don’t want those addresses visible to Internet users. A proxy server substitutes the internal client’s IP address with a valid external address. It does this through the use of two network interface cards (NICs)—one that works on the internal net and one that’s pointed to the Internet—or through a single NIC or an alternative connection to the Internet—perhaps a dial-up connection. So, for example, a user on a private network with IP address 192.168.13.42 would hit the internal proxy server NIC (perhaps 192.168.13.1), the proxy server software would turn around and handle the Internet connectivity for the user through its external NIC (perhaps 165.27.38.1), and the user would utilize the Internet without anyone on the outside knowing any inside numbers. This process is called Network Address Translation (NAT) and we would say that the internal user’s address had been NAT-ted. We should point out that the truest intent of a proxy server is to merely fetch material on behalf of a client. Therefore, NAT-ting isn’t absolutely necessary. However, NAT-ting is part and parcel of MS Proxy Server and would be something you might consider a value-added component for any proxy server product you were wishing to purchase.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
What Is a Proxy Server? 7
Benefits and Uses of a Proxy Server NAT-ting is a key benefit of a proxy server. But there are other benefits as well. Web caching is a feature of proxy server software. You can cache frequently hit sites locally at the proxy server, thus reducing the time that it takes for users to go directly to the site and pull up the page, increasing overall performance. You can also configure caching retention, disk space usage, and other settings. Proxy server software allows for a concept called packet filtering. Don’t want internal users to be able to download files off of an Internet-based FTP site? Set up a packet filter that disables FTP, and your users won’t be able to perform this function any longer. You’re actually filtering out the usage of the File Transfer Protocol when you set up this kind of filter. You can filter either internal usage or external usage or both. In other words, you can set up a proxy server so that it also filters out attempts to FTP in from the Internet. Many different protocols are available in the filter list— more than you may even realize are available on the Internet. With packet filtering, you control the incoming and outgoing flow of packets—which packets are allowed and which are not. You can set proxy server software to disallow internal users from hitting certain websites. This functionality is called web filtering. In the case of both ISA Server and MS Proxy Server 2.0, you can key in sites that you don’t want users to hit and apply the filter to certain groups of users. The problem with this scenario is that it’s tedious because you have to key in each site individually and can’t possibly capture the ever-changing nature of the Internet. ISA Server has a third-party Software Developer’s Kit (SDK) that allows independent parties to develop add-in components for ISA Server. MS Proxy Server 2.0 also had this capability. In either case (ISA or Proxy Server), the developers would write an ISAPI filter—a filter that is customized to perform a certain function when working with either product. Web-filtering software that is more robust in its functionality is an example of a third-party software application that can be purchased to go along with ISA Server. See www.smartfilter.com and www.surfcontrol.com as examples of companies that are writing third-party add-ins for ISA Server and that wrote add-ins for Proxy Server 2.0.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
8
Chapter 1
■
Introduction to ISA Server
Proxy servers allow for what is called reverse hosting (or might be referred to as secure publishing). The concept is simple, but its implementation can get complicated. If you have, for example, a web server on your internal network that you’d like to have available to Internet users, you can use proxy server software to allow for this. Alternatively, you can put your web server on the DMZ but behind a proxy server, thus allowing the proxy server to impersonate the web server and provide an added level of web server security. This process is called reverse proxy. FIGURE 1.2
Differences between reverse hosting and reverse proxy Reverse Hosting
Web server
ISA Server
Internet user
Private network
DMZ
Reverse Proxy
Web server Private network
ISA Server
Internet user
DMZ
You can clearly see in Figure 1.2 the difference between the two ideas. With reverse hosting, we’re actually hosting our web servers inside the private network and using ISA Server to allow secure connectivity between Internet users and the web servers. The key word here is secure. ISA Server makes sure that Internet users aren’t able to hack into other parts of the network. You might use a scenario such as this in a situation where you don’t have enough resources or your web presence isn’t large enough to demand a DMZ (and all of the demands that go along with maintaining a DMZ). On the other hand, reverse proxy merely puts an ISA Server in front of web server(s) sitting on the DMZ. This is the technique of using reverse
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
What Is a Proxy Server? 9
proxy. Ideally, you’d like to see a scenario such as the one shown in Figure 1.3, where you have not only an ISA server in front of the web servers, but also behind the web servers at the entrance to the private network. You can tune the ISA servers differently so that box A performs intrusion detection and filters out certain protocols that you know you’ll never allow to access the web servers, while box B acts as a complete robust firewall. FIGURE 1.3
Ideal DMZ scenario
Internet e-mail user
ISA Server B Private network
Web server
ISA Server A
Internet web user
DMZ
Note in Figure 1.3 that you may have an Internet e-mail user who desires to utilize your web servers only to send e-mail to someone. The firewall can secure the private network and still allow Internet e-mail to enter (typically on port 25). Let’s get a little more carried away. Suppose that you have a database server using Microsoft SQL Server 2000 that you want to live on the private network. Web servers that live on the DMZ need to utilize the databases on this database server for, say, e-commerce work. You could simply key in a rule that allowed only the web servers to communicate through the firewall to the inside database server. You could also go one step further and set up a virtual private network (VPN) between each web server and the database server. Since ISA Server can handle VPN traffic, and L2TP with IPSec creates a highly secure VPN tunnel, you’d have extremely granular security applied to your e-commerce scenario. Technically, we’d call this a secure IPSec tunnel as opposed to a VPN, but the concepts are
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
10
Chapter 1
■
Introduction to ISA Server
the same for both, so we’ll simply refer to the above as a VPN. Takes a lot of extra time to configure and test? Sure it does. Is it worth it? Well, recently a company that’s in the e-commerce business had thousands of their credit card numbers stolen from an internal database and held for ransom until the thieves were paid. The thieves were given their money but were never caught. Figure 1.4 shows the VPN scenario. FIGURE 1.4
E-commerce VPN scenario
VPN circuit
Database server
ISA Server B Private network
Web server
ISA Server A
Internet web user
DMZ
In such a scenario as Figure 1.4, you really haven’t added any more servers than before; you’ve merely upped the ante in terms of security complexity. Truly though, companies that are interested in e-commerce activity need to consider whether such extra effort is worth it or not. Good proxy server software will also support VPN connectivity for users who desire to access the private network from the Internet.
For more information regarding VPNs and the various choices you have at your disposal, see MCSE: Windows 2000 Network Infrastructure Administration Study Guide, Second Edition (Sybex, 2001) and MCSE: Windows 2000 Network Infrastructure Design Study Guide (Sybex, 2000).
Proxy server software should support Secure Sockets Layer (SSL) for encrypted sessions between an Internet user and web servers (such as an e-commerce catalog site).
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
What Is a Proxy Server? 11
Proxy server software allows for circuit layer security—listening for Telnet, RealAudio, and other sorts of circuits that users are trying to set up over the Web. You can filter out any circuits or allow them to continue; the design and implementation is your choice. Server hosting allows for packets directed to the internal network from the Internet to be sent directly to the participating server. For example, e-mail documents can be sent directly from the proxy server to the internal e-mail server. Figure 1.5 shows this scenario. FIGURE 1.5
Server hosting scenario
E-mail server
ISA Server Private network
Internet client DMZ
Some proxy server software comes with proprietary software that has to be installed on each computer in the network in order to accommodate all of a proxy server’s functionality. For example, to make full use of MS Proxy Server 2.0’s Winsock capabilities, you would have to install the Winsock client on each workstation. ISA Server supports the old MS Proxy Server 2.0 client (called the Winsock Proxy client), as well as the SOCKS client. (There is an add-on to support SOCKS v4. ISA Server does not, however, migrate MS Proxy Server 2.0 SOCKS rules at migration time.)
If you’ve configured Internet Explorer with the Internet Explorer Administration Kit (IEAK) and you’ve pointed each user to a specific proxy server address, when you get ready to move users to an ISA Server environment that’s using a different IP address, you may be forced to recompile and re-push IE with the new, good address to all clients. This can add significant time to your ISA Server rollout plans.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
12
Chapter 1
■
Introduction to ISA Server
Windows 2000 Advanced Server supports Internet Connection Sharing (ICS) and NAT. Both features are designed for smaller offices that require the capability of dialing up to an Internet service provider (ISP) so that users can utilize the Internet. ICS allows for the sharing of a connection and for the NAT-ting of internal to external addresses. You’d likely use NAT or ICS in small office, home office (SOHO) environments where very few users are connected at one time, though it certainly might prove useful in smaller companies that can’t afford or don’t feel they need the horsepower of ISA Server. ICS isn’t routable, so it won’t work in larger organizations that span routers. NAT can work in deployments with routers. ICS and NAT cannot be installed on the same server.
Using MS Proxy Server 2.0 with an Internal Exchange 5.5 Server When I worked as a consultant, I once had a contract with a small government agency. My task was to replace an old firewall product with MS Proxy Server 2.0. The client had an internal Exchange 5.5 Server that had to continue to communicate with the Internet (for incoming Internet e-mail purposes), so I had to pay close attention to Proxy Server’s server-hosting feature. The trick is pretty simple. You add a couple of INI settings to the Exchange Server’s BIN directory and install the Proxy Server client. Everything should’ve fired off and begun working right away. But we ran into complications at the outset. I wound up calling Microsoft, opening a support ticket, and talking on the phone with them for nearly three hours while we troubleshot the problem. Turns out that I had some permissions set wrong in the Proxy Server box, and when we straightened out its settings, the whole thing took off and ran just fine.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
What Is a Firewall? 13
What Is a Firewall?
A
firewall doesn’t differ that much from a proxy server. Essentially, the difference is that you key rules into a firewall and these rules, firing in order, determine which computers may get into the private network from the Internet and which protocols they may use to get there. You can also configure rules that keep internal users from using certain protocols or certain computers from getting out onto the Internet. You can configure groups of users so that you don’t have to create hundreds of individual rules. As you might imagine, asking software to run through a bunch of rules in a firewall before it makes a decision as to whether to allow a certain operation or not could really slow down activity if the rule list was too long. There are many uses of firewalls, including the following: ■
■
Providing circuit-level gateways. That is, after a TCP or UDP connection has been made, the security of the connection is maintained and no further checking is required. Providing the ability to set up application-level security for applications such as Telnet or FTP.
■
Filtering packets based upon the way you configure the rules.
■
Acting as proxy servers (by NAT-ting the address).
Microsoft Proxy Server 2.0 is billed as a firewall, and some may argue with that connotation, but it’s perfectly true in context with what we know a firewall to do. So how are a firewall and a proxy server different from one another? Largely, the difference lies in the ability to key in the rules that make a firewall work. You don’t key rules into a Microsoft Proxy Server 2.0 setup. You enter rules into an ISA Server computer that’s been equipped as a firewall. Firewalls don’t do any web filtering on their own. Generally, you use a separate product alongside a firewall to accommodate your web-filtering needs. Proxy servers can filter web content, with or without third-party add-on help.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
14
Chapter 1
■
Introduction to ISA Server
You can buy hardware- or software-based firewalls. Cisco manufactures a wonderful firewall called Pix. Since the firewall code is built into the firmware, you get a wire-speed firewall. But you pay big bucks for it, too. Firewalls generally start out with the premise that no protocol is allowed into the system until rules are created. Proxy servers generally start out with the premise that all protocols are allowed in until you decide to rule certain ones out. Firewalls can work with users, groups, computers, and other non-protocol types of objects, whereas proxy servers are typically concerned with IP addresses and protocols.
The Cable Modem User Do DSL and cable modem users need a firewall? Think about it. Here you have a computer, with a NIC, connected to what amounts to an Internet network. Your cable modem/DSL-linked computer’s IP address is known across the Internet. In fact, if you’re at work, you can probably ping your home computer, if not by name, then certainly by IP address (provided, of course, that the broadband company’s firewalls allow for pings). This is remarkable! It means that hackers, for example, could get into your personal computer at home, which is connected to the Internet via cable modem or DSL, and change your online tax form for you so that it said you made a million dollars! That’d get a laugh out of a few hackers, thinking that you were sitting in an IRS hot seat because of a malicious little change they made. Or how about this scenario: Napster-ites, irritated by legal rulings barring them from sharing songs, decide that the 8GB of free space you have on your computer would be a good place to store some of the songs they’re sharing out—making your PC a sort of surrogate Napster database server, if you will. But there are indeed miniature firewalls available for DSL and cable modems. One that is particularly good and, best of all, free for home consumers, is called Zone Alarm. It’s available by visiting www.zonelabs.com. This company also manufactures higher-end firewall solutions, but the fact that Zone Alarm is so good while also
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Common Internet Protocols and Ports 15
being free makes it a very attractive offering. Computer Associates manufactures EZ-Armor, which utilizes an incorporated firewall and antivirus product all in one, but there is a yearly charge for its use.
Common Internet Protocols and Ports
W
orking with a proxy and firewall server requires that you be familiar with the common Internet protocols and their associated ports. There are several key reasons for this. First of all, if you aren’t familiar with at least the most common of ports, you have no way of knowing whether you’re being hacked into or not. Second, if you know of a port that’s commonly used and hence is a target for hackers, perhaps there are workarounds you can employ to prevent hacking. For example, HTML commonly uses port 80. Since it’s a well-known port, hackers will make an initial hacking attempt at port 80. By hosting web servers at port 8080 instead, you can avert some of the security problems. (The problem is that port 8080 is now also well known—see Table 1.1 for others.) In addition, when setting up your packet-filtering rules, it’s helpful to know which ports are being occupied so you don’t inadvertently shut off a service that’s needed by people inside your organization. While it’s not important that you memorize virtually every protocol and port on this list, it is important that you memorize common protocols and ports. Table 1.1 shows some common Internet protocols and ports. Note that you can use other ports not currently utilized by TCP/IP. Typically, these ports fall within the 1024–65,535 range. Some Internet applications or protocols might make use of a port in this upper range, and those are included in Table 1.1 as well and marked with an asterisk (*). Please note that this table does not include ports that are not registered with the Internet Assigned Numbers Authority (IANA), found on the Web at www.iana.org. There are certain “well-known” ports, that is, ports that are well known by hackers to be predominantly open and available for “business.” These ports are noted in Table 1.1 by a plus sign (+).
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
16 Chapter 1
■
Introduction to ISA Server
TA B L E 1 . 1
Common Internet Protocols and Ports Port
TCP/UDP
Protocol or Service
20+
TCP
File Transfer Protocol (FTP) Data
21+
TCP
FTP File Transfer Control
*22
TCP
Secure Shell Remote Login Protocol (SSH)
23+
TCP
Telnet
23+
UDP
Telnet
25
TCP
Simple Mail Transfer Protocol (SMTP)
42
TCP
Windows Internet Name Service (WINS) replication and other hostname servers
47
TCP
Generic Route Encapsulation (GRE) header for PPTP
53+
UDP
Domain Name System (DNS) Name Resolution and Lookup
53+
TCP
DNS Name Resolution and Lookup
67+
UDP
DHCP Client, Bootstrap Protocol (BootP)
68+
UDP
DHCP Server
69+
TCP
Remote Installations via Trivial File Transfer Protocol (TFTP—commonly used for configuring network devices such as switches and routers across a network)
80+
TCP
HTTP
88+
TCP/UDP
Kerberos v5 Authentication (default security protocol used by Windows 2000)
102
TCP
Mail Transfer Agent (MTA) using X.400 over TCP/IP
110+
TCP
Post Office Protocol v3 (POP3)
119+
TCP
Network News Transport Protocol (NNTP)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Common Internet Protocols and Ports 17
TA B L E 1 . 1
Common Internet Protocols and Ports (continued) Port
TCP/UDP
Protocol or Service
135
TCP
Used for three purposes: client/server communication, for legacy Exchange administration, and for Remote Procedure Call (RPC)
137+
UDP
NetBIOS Name Service (Handles logon sequence, Windows NT 4 trusts, Windows NT 4 secure channel, pass-through authentication, browsing, and printing)
137+
TCP
WINS registration
138+
UDP
NetBIOS Datagram Service (Handles logon sequence, Windows NT 4 trusts, Windows NT 4 directory replication, Windows NT 4 secure channel, pass-through authentication, netlogon, browsing, and printing)
139+
TCP
NetBIOS Session Service (Handles NetBIOS Translation [NBT], Server Message Blocks [SMB], file sharing, printing, logon sequences, Windows NT 4 trusts, Windows NT 4 directory replication, Windows NT 4 secure channel, pass-through authentication, Windows NT 4 administration tools [Server Manager, User Manager, Event Viewer, Registry Editor, Performance Monitor, DNS Admin], Common Internet File System [CIFS])
143
TCP
Internet Message Access Protocol (IMAP)
194+
TCP
Internet Relay Chat (IRC)
194+
UDP
Internet Relay Chat (IRC)
220+
TCP
IMAP v3
220+
UDP
IMAP v3
389+
TCP/UDP
Lightweight Directory Access Protocol (LDAP)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
18
Chapter 1
■
Introduction to ISA Server
TA B L E 1 . 1
Common Internet Protocols and Ports (continued) Port
TCP/UDP
Protocol or Service
*407
TCP
Timbuktu (Remote control software— www.netopia.com)
443
TCP
HTTP Secure Sockets Layer (SSL)
445
TCP
Common Internet File System (CIFS)
464
TCP/UDP
Kerberos v5 Password
465
TCP
SMTP (SSL)
500
TCP/UDP
Internet Security Association Key Management Protocol (ISAKMP)/Oakley header and traffic (used with IPSec)
*522
TCP
User Location Protocol (ULP— www.microsoft.com)
531
TCP
Internet Relay Chat (IRC)
543
TCP
Kerberos Login (klogin)
544
TCP
Kerberos Shell (kshell)
*554
TCP/UDP
Real Time Streaming Protocol (RTSP—
info.internet.isi.edu/in-notes/ rfc/files/rfc2326.txt) 560
TCP
Content Replication Service
563
TCP
NNTP (SSL)
636
TCP
LDAP (SSL)
*666
TCP/UDP
Doom Internet game
750
UDP
Kerberos authentication
751
UDP
Kerberos authentication
752
TCP
Kerberos authentication
753
UDP
Kerberos User Registration Server
754
TCP
Kerberos Slave Propagation
888
TCP
Logon and environment passing
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Common Internet Protocols and Ports 19
TA B L E 1 . 1
Common Internet Protocols and Ports (continued) Port
TCP/UDP
Protocol or Service
993
TCP
IMAP4 (SSL)
995
TCP
POP3 (SSL)
1024–5000
TCP
Structured Query Language (SQL) sessions
*1024
TCP
Mirabilis ICQ (dynamic assignment starting from port 1024, www.icq.com) (Also AOL ICQ)
1109
TCP
Post Office Protocol (POP) with Kerberos
1234
TCP
Used by Small Business Server’s (SBS) second-tier DNS Registration Wizard
*1417–1420
UDP
Timbuktu (Remote control software—
www.netopia.com) 1433
TCP
SQL session
*1490
TCP
Vocaltec Internet Phone (www.vocaltec.com)
1500
TCP
Remote Procedure Call (RPC) Client fixedport sessions queries
*1503
TCP
T.120 (Exchange 2000 conferencing server—www.microsoft.com/exchange)
*1533
TCP
Various Internet voice conferencing services
*1558
UDP
Xingtech videoconferencing (www.xingtech.com)
1645
UDP
Remote Authentication Dial-In User Service (RADIUS) authentication (Port 1812 can be used also)
1646
UDP
Remote Authentication Dial-In User Service (RADIUS) accounting (Port 1813 can be used also)
*1720
TCP/UDP
H.323 (videoconferencing) call setup (Exchange 2000 conferencing server)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
20
Chapter 1
■
Introduction to ISA Server
TA B L E 1 . 1
Common Internet Protocols and Ports (continued) Port
TCP/UDP
Protocol or Service
1723
TCP
Point to Point Tunneling Protocol (PPTP) Control Channel (used along with port 47—GRE header channel)
*1731
TCP
Audio call control (Exchange 2000 conferencing server)
1801
TCP
Microsoft Message Queue Server
1812
UDP
Remote Authentication Dial-In User Service (RADIUS) authentication (Port 1645 can be used also)
1813
UDP
Remote Authentication Dial-In User Service (RADIUS) accounting (Port 1646 can be used also)
*1863
TCP
Microsoft Network (MSN) Messenger Instant Messaging (messenger.msn.com)
*2000–2003
TCP
ICUII Video Chat program (www.icuii.com)
*2000–2007
TCP
iSPQ Video Chat program (www.nanocom.com)
*2001
TCP
Webglimpse search engine (www.webglimpse.org)
2053
TCP
Kerberos de-multiplexer
*2064
TCP
Distributed.net RC5/DES distributed computation (www1.distributed.net)
2101
TCP
Microsoft Message Queue Server
2103
TCP
Microsoft Message Queue Server
2105
TCP
Kerberos encrypted remote login (rlogin), Microsoft Message Queue Server
*2327
UDP
Netscape conferencing (www.netscape.com)
*2300–2400
TCP/UDP
Microsoft DirectX gaming (www.microsoft.com/directx)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Common Internet Protocols and Ports 21
TA B L E 1 . 1
Common Internet Protocols and Ports (continued) Port
TCP/UDP
Protocol or Service
*2592
TCP
Netrek game (www.netrek.org)
2980
TCP/UDP
Exchange 2000 Instant Messaging (IM) Service
*3128
TCP
Web proxy cache program (www.squid-cache.org)
*3130
TCP
Web proxy cache program (www.squid-cache.org)
3268
Global Catalog
3269
Global Catalog
3389
TCP
Windows 2000 Terminal Server
3527
UDP
Microsoft Message Queue Server
*4000
UDP
Mirabilis ICQ (dynamic assignment starting from port 1024, www.icq.com)
*4020
TCP/UDP
Ichat chat rooms (www.ichat.com)
*4747
UDP
Pgpfone (secure Internet phone,
www.pgpi.org) *4747
TCP
Playlink games site (www.playlink.com)
*4748
TCP
Playlink games site (www.playlink.com)
*5190
TCP/UDP
AOL Instant Messenger (www.aol.com)
*5190
TCP
AOL ICQ (www.aol.com)
*5190–5193
TCP/UDP
AOL (www.aol.com)
*5190
TCP
AOL ICQ (www.aol.com)
*5631
TCP
Symantec PCAnywhere (www.symantec.com)
*5632
UDP
Symantec PCAnywhere (www.symantec.com)
*5800 (and up)
TCP
VNC remote control (www.uk.research.att.com/vnc)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
22
Chapter 1
■
Introduction to ISA Server
TA B L E 1 . 1
Common Internet Protocols and Ports (continued) Port
TCP/UDP
Protocol or Service
*5900 (and up)
TCP
VNC remote control (www.uk.research.att.com/vnc)
*6498
TCP
Netscape conferencing
(www.netscape.com) *6502
TCP
Netscape conferencing (www.netscape.com)
*6502
TCP/UDP
Danware Netop remote control software (www.netop.com)
6665
TCP
Microsoft Chat server to server
6667
TCP
Microsoft Chat client to server
6665–6669
TCP
Internet relay chat
*6670
TCP
Vocaltec Internet Phone (www.vocaltec.com)
*6970–6999
UDP
Apple Real-Time Transport Protocol (RTP) for QuickTime (www.apple.com)
*6970–7170
UDP
RealAudio streaming audio and video using Real-Time Streaming Protocol (RTSP) (www.real.com)
7000
TCP
VDO Live streaming video
*7070
TCP
RealAudio streaming audio and video using Real Time Streaming Protocol (RTSP) (www.real.com)
*7648–7649
TCP
CUSeeMe videoconferencing (www.cuseeme.com)
*7648–7652
UDP
CUSeeMe videoconferencing (www.cuseeme.com)
8001
TCP
HTTP
8002
TCP
HTTP
8080
TCP
HTTP
*9943
UDP
Ivisit virtual chat (www.ivisit.com)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Common Internet Protocols and Ports 23
TA B L E 1 . 1
Common Internet Protocols and Ports (continued) Port
TCP/UDP
Protocol or Service
*9945
UDP
Ivisit virtual chat (www.ivisit.com)
*10090
TCP
Playlink games site (www.playlink.com)
*14237
TCP
Palm computing hotsync (www.palm.com)
*14238
UDP
Palm computing hotsync (www.palm.com)
*18888
TCP
Liquid Audio streaming audio (www.liquidaudio.com)
*18888–18889
UDP
Liquid Audio streaming audio (www.liquidaudio.com)
*22555
UDP
Vocaltec Internet Phone (www.vocaltec.com)
*24032
UDP
CUSeeMe videoconferencing (www.cuseeme.com)
*25793
TCP
Vocaltec Internet Phone (www.vocaltec.com)
*26000
TCP/UDP
Quake Internet game
*28800–29000
TCP/UDP
Microsoft Network (MSN) gaming (www.msn.com)
*39213
UDP
Sygate manager (www.sygate.com)
*47624
TCP/UDP
Microsoft DirectX gaming (www.microsoft.com/directx)
*51200–51201
UDP
Dialpad Internet telephony (www.dialpad.com)
*51210
TCP
Dialpad Internet telephony (www.dialpad.com)
*56768
UDP
Ivisit virtual chat (www.ivisit.com)
*Dynamic
TCP
H.323 Call Control
*Dynamic
UDP
H.323 Call (RTP over UDP)
Dynamic
TCP
RCP Session Ports
*Indicates ports used by Internet applications or protocols. +Indicates ports well known by hackers to be open for “business.”
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
24
Chapter 1
■
Introduction to ISA Server
ISA versus Microsoft Proxy Server 2.0
I
f you have experience with Proxy Server 2.0, you can expect that the very good things that Proxy Server brought to networks will be carried forth and more added besides. Existing Proxy Server 2.0 installations will integrate with new ISA Server configurations in an array-like fashion, one of Proxy Server and ISA Server’s more appealing capabilities. Following are the features (some are updates from Proxy Server 2.0) of ISA Server: Firewall Like Proxy Server 2.0, ISA Server is a firewall. ISA Server supports circuit, application, and packet filtering and is an ICSA certified firewall. Caching server ISA Server can function as a stand-alone caching server or in an array of caching servers. Note that MS Proxy Server 2.0 had caching capabilities, but they’ve been greatly improved with ISA. Dynamic packet filtering Also called stateful inspection. ISA Server can examine packets as they come across the wire, making decisions about their context and connection state and opening ports accordingly. With dynamic packet filtering, the appropriate port is opened when needed and closed when not needed. Circuit-level filtering Think of an automated process running on an internal server that periodically needs to FTP into a server on the DMZ in order to place files in a folder on the external server. This process has created a circuit. ISA Server supports circuit-level filtering, allowing you to monitor the circuit and its status. Various Internet applications (such as Telnet) can be monitored through circuit-level filtering. Application filtering With application filtering, you monitor incoming and outgoing packet flow associated with a particular application. You can use this technique to monitor, for example, bad SMTP packets going out or potential DNS hacks coming in. Integrated virtual private networking ISA Server integrates with VPN clients. You can set up ISA Server so that it acts as a VPN host server and allows in only your known VPN users—keeping potential VPN hackers out. System hardening The administrator has a choice of ways in which the Windows 2000 Server computer with ISA Server installed is utilized. For example, if the server also has Internet Information Service installed
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
ISA versus Microsoft Proxy Server 2.0 25
on it, you would set system hardening to Secure to allow other server services to be functional. System hardening is your way of defining the level of security that’s required of your ISA Server. The more security you apply, the harder it is to get into your private network—hence the term hardening. Intrusion detection New to ISA Server. You can set up the ability for ISA to detect and respond to network attacks such as the Ping of Death and DoS. Policies ISA Server allows you to set up one of two different types of policies: enterprise or array, based upon whether you’re working with servers in an array or if you desire to enforce all servers from an enterprise perspective. When installing ISA Server in an array, you can opt to configure enterprise policies and yet allow admins who’ll be working with other array members to add their policies as well; you can also configure enterprise policies and not allow any other policies or simply allow others to configure their own policies. When you configure policies that are an addition to the enterprise policies, they are called array policies. Reporting ISA Server provides for various reports showing network activity, security events, and application usage. Secure application hosting ISA Server, like Proxy Server 2.0, allows for application and web hosting. ISA Server kicks things up a notch by allowing web, e-mail, and e-commerce servers to live behind the firewall, protected from intruders but able to be utilized by Internet traffic. Robust logging Logging was a weak feature of Proxy Server 2.0. ISA Server changes all that by providing robust logging for cache and network activity. Policy-based access control ISA Server allows you to set up policies by user, group, schedule, application, destination, or content type, thus providing you with very granular control over the access that your users have to the Internet and that Internet users have coming into the private network. In addition, you can expect in ISA Server the ordinary things that you’d expect from any Microsoft server offering: Microsoft Management Console (MMC) single administration source, alerting, performancemonitoring features, and integration with Windows 2000 Active Directory (AD) and wizards.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
26
Chapter 1
■
Introduction to ISA Server
There are some key differences between the two products and reasons to move from MS Proxy Server 2.0 to ISA Server. They are as follows: ■
■
■
■
ISA Server is 10 times faster than MS Proxy Server 2.0. Greatly enhanced Internet user access control through the use of user, group, computer, schedule, bandwidth, or destination information. Capability of centrally managing large ISA Server deployments and support for scalability. Enterprise firewall certified by ICSA Labs (www.icsalabs.com).
Deciding to Begin Working with ISA Server Emilio is a security administrator for a large network in the western hemisphere. The network currently has 20 Proxy Server 2.0 computers spread out over as many countries, home-runned to a headquarters office by T1 (1.544 Mbps) lines. The servers are set up in a Proxy Server array. The enterprise server administration team has designed and deployed a brand-new Windows 2000 Advanced Server environment, completely replacing the original Windows NT 4 network. In his studies, Emilio has learned that ISA Server will handily work with the existing Proxy Server array for smooth parallel cutover to the new system. The new ISA Servers will integrate into Active Directory, making their management and integration much easier. Now all Emilio has to do is finish reading this book and then sit down and design his complete Proxy Server 2.0–to–ISA Server conversion project plan.
Summary
I
n this chapter, we talked about the differences between a proxy server, a firewall, and web-filtering software. A proxy server can NAT addresses between the internal and external networks. It can filter packets
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
27
based upon their protocols and accept or deny them accordingly. Proxy servers support the idea of circuit filtering, providing support for Internet applications such as Telnet, e-mail, RealAudio, Microsoft Windows Media, Internet Relay Chat, and others. Proxy servers also support application filtering—monitoring incoming or outgoing packets that belong to a certain application, thus providing application-specific activities such as blocking, screening, redirecting of traffic, and so forth. Proxy servers allow for caching of web hits by internal users, thus speeding up performance. They also allow for secure publishing, the ability to publish web or e-mail services on the Internet from within the private network. Firewalls provide the same basic services but differ a bit from proxy servers in that they have a database of rules that you create in order to facilitate the blocking that you’d like to do. Web filtering simply allows you to control which websites users can go to. ISA Server incorporates all of the great features of MS Proxy Server and includes many more updates and additions as well, such as increased support for secure publishing, various client levels, integration with Active Directory (in an ISA Server array), web filtering, intrusion detection, and enhancements to previous Proxy Server functionality. ISA Server, like Proxy Server, is extensible by virtue of a Software Developer’s Kit.
Key Terms
B
efore you take the exam, be certain you are familiar with the following terms: circuit filtering
server hosting
demilitarized zone (DMZ)
Software Developer’s Kit (SDK)
Network Address Translation (NAT)
stateful inspection
reverse hosting
system hardening
reverse proxy
virtual private network (VPN)
secure publishing
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
28
Chapter 1
■
Introduction to ISA Server
Review Questions 1. Aliakbar needs to configure his ISA Server installation so that
website administrators can use Telnet to connect to a server on the DMZ. Aliakbar wants to make sure that the connection is managed and monitored and that he can examine the session at any time. What kind of filtering is required? A. Packet B. Dynamic packet C. Circuit D. Application 2. Juliet is the security administrator for a large Windows 2000–based
enterprise containing several disparate networks. Currently, various administrators are using different firewall products. Juliet would like to bring in one product to take the place of the current hodgepodge of firewalls. What two features of ISA Server will lend credence to her argument? A. Integration with Windows 2000 Active Directory B. Web page caching C. Web filtering D. Arrays 3. What feature of ISA Server will prevent Denial of Service (DoS) and
Ping of Death (PoD) attacks? A. Packet filtering B. Intrusion detection C. Dynamic caching D. Policies
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 29
4. Your internetwork department handles all of the routers, firewalls,
switches, and infrastructure for your company. Your supervisor has given you a mandate to come up with a method whereby you can control the sites that internal users are allowed to visit. What are your alternatives for solving this problem? (Choose all that apply.) A. Windows 2000 Group Policy Object (GPO) B. Proxy Server C. ISA Server D. Talk to internetworking team 5. Leah is the network administrator for a small engineering company.
The company currently has no connection to the Internet, but Leah has been given permission to set up a dial-up connection. Which products can Leah use to accomplish this task? (Choose all that apply.) A. Windows 2000 Advanced Server B. MS Proxy Server 2.0 C. ISA Server D. Exchange 2000 Enterprise Server 6. Kim is the network administrator for a small engineering firm
located in a single building that has an unprotected 56KB connection to their ISP. Besides the obvious security benefit, what other benefits can Kim present to her boss to get approval for purchasing a computer and ISA Server software to act as the firewall? (Choose all that apply.) A. Web caching B. ISA Server array C. Bandwidth management D. Server publishing
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
30
Chapter 1
■
Introduction to ISA Server
7. Faldad administers a 1000-node network that has a T1 connection
to an ISP. The ISP currently blocks incoming packets that Faldad has determined should not be allowed in, but the added monthly costs for the service are prohibitive and Faldad would like to install his own ISA Server. Another of his objectives is to prohibit access by all users to websites that may have objectionable content. He has had requests from many managers for this service. Which products can Faldad use to accomplish this goal? (Choose all that apply.) A. Windows 2000 Advanced Server ICS or NAT B. Microsoft Proxy Server 2.0 C. ISA Server D. Microsoft Proxy Server 2.0 with third-party access-control
software E. ISA Server with third-party access-control software 8. You want to provide access to web servers on your private network
without having to create a DMZ. What ISA Server functionality will accomplish this for you? A. Server publishing B. Reverse hosting C. Packet filtering D. Circuit filtering 9. Pick a feature that ISA Server does not have. A. Web caching B. Routing C. Packet filtering D. Policies
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 31
10. What are some of the key differences between a firewall and a proxy
server? (Choose all that apply.) A. A firewall uses rules. B. A proxy server can’t perform packet filtering. C. A proxy server can’t perform Network Address Translation. D. A firewall can be either hardware- or software-based. 11. You are a contractor who’s been hired by a five-person dental office
to set up a network. In particular, the persons hiring you want two people to be able to regularly access the Internet through their dial-up ISP in addition to performing the normal file/print functions. Which solutions might be appropriate in this situation? A. Microsoft Proxy Server 2.0 B. ISA Server C. NAT D. ICS E. Equipping both PCs with a modem and phone line 12. Suppose that you wanted to have an internal web server available
for Internet clients. What features of ISA Server would you use? (Choose all that apply.) A. Reverse hosting B. Negative proxy C. Secure publishing D. Application publishing 13. What does caching do? A. Keeps Internet pages in memory B. Keeps web activity in a log C. Keeps protocols used in a log D. Keeps protocols prohibited in a log
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
32
Chapter 1
■
Introduction to ISA Server
14. What is system hardening? A. Providing a very sturdy case for the ISA Server B. Putting the ISA Server on a cluster C. Drilling down on the ISA Server security restrictions D. One of the ISA Server installation modes 15. Using the following table, working from the private network out,
put the servers in proper order. ISA Reverse Hosting server ISA Server Web server Private network server 16. Oliver is an administrator of an environment that currently has
an array of Microsoft Proxy Server 2.0 computers. He wants to upgrade the array to ISA Server. What are some of the chief functionalities that Oliver can hope to gain from the new ISA Server array? (Choose all that apply.) A. Sharing of packet filters B. Web cache hierarchy C. Web cache sharing D. Sharing of firewall rules E. Allowing individual administrators to create their own packet
filters and firewall rules 17. What is the reason for using a Microsoft Proxy Server 2.0
installation? A. It keeps Internet users from hacking into the internal network. B. It hides internal network addresses. C. It provides intrusion-detection mechanisms. D. It filters web content.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 33
18. What is to be gained by upgrading to or installing ISA Server?
(Choose all that apply.) A. Intrusion detection B. Reports C. Robust logging D. Web-content filtering E. Alerting F. Capability of operating in an array 19. Miguel is the enterprise administrator for a large network of
disparate “mini-LANs” that are operated by independent administrators. Some of these administrators have voiced a desire to house their own firewall and, in fact, have taken steps toward procuring and installing one. Miguel is recommending an ISA Server array to solve the problem. What are some benefits to be obtained from using an ISA Server array? (Choose all that apply.) A. Both enterprise and local (array) policies can be maintained. B. Local sites can cache web content, and content can be cached at
the DMZ. C. Local administrators can create their own rules. D. Local administrators must adhere to enterprise rules. E. All members of the array can sit on different DMZs. 20. Should an ISA Server computer be connected to an internal network
domain? (Choose all that apply.) A. Yes it should; there are ample security restrictions out-of-box to
prevent hacking. B. Yes it should; however, security restrictions need to be
immediately applied. C. Yes it should; however, only certain administrators should be
allowed access to it. D. No it should not.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
34
Chapter 1
■
Introduction to ISA Server
Answers to Review Questions 1. C. Circuit-level filtering allows for the monitoring of a connected
session using common Internet protocols such as IRC, Telnet, and others. Typically, this kind of monitoring can be used for internal application–to–external application monitoring or by a person trying to set up a session with an Internet-based computer. Packet filtering can be set up to examine incoming and/or outgoing packets of certain protocols or port numbers. Dynamic packet filtering does the same kind of packet filtering, but on the fly as the packets are streaming inward or outward. The key difference between packet filtering and dynamic filtering is that with dynamic filtering the port needed is open during the session and closed at session closure time. Application filtering allows you to monitor common Internet applications for such things as bad SMTP packets or attacks on internal DNS servers. 2. A, D. While answers B and C are certainly appealing, they’re
not relevant in terms of desirable reasons to move to ISA Server. However, ISA Server’s ability to run in a hierarchical array and to integrate with AD are wonderful reasons to consider the switch. 3. B. ISA can monitor for incoming network attacks and prevent them
accordingly, in addition to notifying the administrator of the attack. 4. B, C, D. You can prevent users from hitting certain websites with
either Proxy Server or ISA Server. It’s important to talk to the internetworking team so that they know your plans for introducing ISA Server—you’ll potentially need their help. 5. A, B, C. You can use Windows 2000 Advanced Server with either its
Network Address Translation (NAT) or Internet Connection Sharing (ICS) program. You can also use Proxy Server 2.0 or ISA Server to dial your favorite ISP and make an Internet connection anytime users need one.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 35
6. A, C, D. Kim’s site is small so she wouldn’t need an ISA array.
However web caching, the ability to curtail Internet activity by bandwidth, and server publishing are all great reasons to set up an ISA Server. 7. D, E. NAT and ICS are too small for a 1000-node shop and they
won’t handle Faldad’s need for access control. Proxy Server 2.0 and ISA Server can provide a modicum of access control, but configuration is a manual process and really not satisfactory for the objectives that Faldad has. In order to really leverage Web-filtering, he needs to supply either an MS Proxy Server 2.0 or an ISA Server computer and purchase third-party web-filtering software to go along with it. Microsoft provides SDKs for products such as this to encourage third-party snap-in/add-on software to enhance the initial capabilities. You can create destination sets and apply these to users and groups in ISA (with much more granular control than you had with Microsoft Proxy Server 2.0), but if you’re trying to filter out objectionable content such as porn sites, you really have to resort to third-party snap-ins to ISA. 8. A. Web servers aren’t the only type of server that can take advantage
of this feature but probably the most apt one to use it at first. Note that in large enterprises with many servers, it may make more sense to set up a DMZ and use ISA Server to reverse host, thus protecting the web servers and acting as the first line of defense on the big bad Internet. 9. B. ISA Server is not a router and does not function as a router.
Routing is a function of Windows 2000 Server, not ISA. Windows 2000 Server has the ability to take on many forms of routing: Routing Information Protocol (RIP), RIP v2, Open Shortest Path First (OSPF), and others. 10. A, D. A proxy server is almost like a firewall but with a couple of
key exceptions: A proxy server doesn’t use rules like a firewall does to keep traffic out (or in, as the case may be), and a firewall can be either hardware- or software-based.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
36
Chapter 1
■
Introduction to ISA Server
11. C, D. In a situation such as this, ICS and NAT are probably the best
considerations. You can set up one Windows 2000 Server that can be utilized for file and print services as well as for hosting NAT and ICS. 12. A, C. Reverse hosting, or as it’s been referred to, secure publishing,
through ISA Server allows you to maintain internal web servers that can be hit by Internet users. 13. A. Caching keeps track of the Internet sites that have been hit
and caches them in memory for a short time. The cache time and length are adjustable. A feature of both ISA Server and Microsoft Proxy Server 2.0 is that you can ask for either server product to periodically go out to sites you’re interested in maintaining crisp congruity with and refresh the cache with updated pages. You can nest caching servers (more on that in the array chapters). Caching speeds up Internet response times for users. 14. C. You can choose how secure you want the ISA Server to be. There
are three levels of system hardening. 15.
Private network server ISA Server Web server ISA Reverse Hosting server
Remember that reverse hosting means that the ISA Server is in front of the web servers on the DMZ, protecting them from intruder attacks, filtering packets, and doing all the things good firewalls do. The ISA server behind the web servers protects the private network from the same things, perhaps even more. In larger web server environments, the web servers sit on the DMZ in between the two firewalls. The private network server sits behind the firewall server that protects the private network from the DMZ and Internet.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 37
16. E. In an ISA Server array, your first installation sets up the array. At
that time, you have the option to create enterprise policies. You can opt to allow other array members to add to your enterprise policies, you can force the enterprise policies to be the only policies that are in place, or you can opt to allow the array member admins to create their own policies. This is not a feature that you’d realize with Microsoft Proxy Server 2.0 and one reason you’d want to upgrade to ISA Server. We talk a lot more about arrays in Chapter 5, “Configuring ISA Server for the Enterprise.” 17. A, B, D. Proxy Servers are chiefly able to perform packet filtering,
which, to some extent, keeps intruders from hacking into the network. It also NATs the internal network addresses, hiding them from the outside world. Microsoft Proxy Server provides no intrusion-detection mechanism without some third-party intervention. While it is possible to filter out Web content using rules, you wouldn’t use this kind of functionality to rule out objectionable sites in a corporate environment. You need more horsepower than the rules can give you, and so you’d probably resort to a third-party ISAPI snap-in. 18. A, B, C, E. Without a third-party add-on component, ISA Server
still cannot do web-content filtering. However, in both Microsoft Proxy Server 2.0 and ISA Server, you can set up sites that are offlimits to users. A site and content rule in ISA Server means that you can set up a rule to explicitly allow or deny some forms of content. It does not utilize advanced searching methodologies that rule out sites with specific content. Both Proxy Server and ISA can operate in an array. 19. A, B, C, D. You would probably not set up an array where each
array member was at the edge of a different DMZ, even in an environment such as the one above. You would use arrays to control the enterprise rules and, if so desired, allow local admins to add to (not take away from) the rules. You could cache web content both locally and at the DMZ. Best of all, you’d have an even playing field of subject matter experts who were knowledgeable about a single product, and the whole thing would run over Active Directory.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
38
Chapter 1
■
Introduction to ISA Server
20. B, C. The entire concept behind ISA Server is that it NATs internal
addresses for users to access the Internet through disguised addresses. On top of that, ISA can take advantage of users, groups, and computers but can only see those users, groups, and computers if it’s a member of a domain. However, you cannot simply plug in and run an ISA Server computer. You’ll need to establish rules that specifically allow or deny certain Internet access.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
2
ISA Server 2000 Installation MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ✓ Preconfigure network interfaces. ■
Verify Internet connectivity before installing ISA Server.
■
Verify DNS name resolution.
✓ Install ISA Server. Installation modes include integrated, firewall, and cache. ■
Construct and modify the local address table (LAT).
■
Calculate the size of the cache and configure it.
■
Install an ISA Server computer as a member of an array.
✓ Upgrade a Microsoft Proxy 2.0 Server computer to ISA Server. ■
Back up the Proxy 2.0 Server configuration.
✓ Troubleshoot problems that occur during setup.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
I
n this chapter, we get on with the business of installing ISA Server. We’ll be taking a look at the key ingredients of an ISA installation, particularly items like good name-server registrations, ensuring that you have stable Internet connectivity, creating the local address table (LAT), calculating cache size, and setting up ISA as an array member. We’ll also delve a bit into upgrading from existing Proxy Server 2.0 installations. Finally, we’ll talk about troubleshooting setup problems.
Preconfiguring Network Interfaces
W
hen we talk about network interfaces, we’re talking specifically about the external and internal interfaces that the ISA Server will use. Specifically we’re interested in the way that the ISA Server will interface with the Internet and how we’ll accomplish name resolution.
Preconfigure network interfaces. ■
Verify Internet connectivity before installing ISA Server.
■
Verify DNS name resolution.
This section is about verifying that the important ingredients are present before you perform your ISA installation, namely, Internet connectivity and DNS name-resolution capabilities. Since the heart and soul of ISA is all about Internet client activity, be it internal clients browsing the Web or
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Preconfiguring Network Interfaces 41
external clients trying to hit published servers, it’s highly important to understand how name resolutions can help or hinder your installation, as well as to make sure you have the right setup to get to the Internet in the first place.
Sizing the ISA Server Before we go to the topics at large, we need to talk briefly about how you’ll size your ISA Server. There are several considerations you’ll need to take into account as you consider your ISA Server purchase.
Processor Speed The processor speed you pick depends almost entirely on the speed of your external Internet connection (coupled, in part, with the kind of activities your ISA Server will be involved with—for our work here, let’s assume a moderately rules-oriented server that will be involved in assessing a modicum of rules as they come in or go out the door). A server that’s simply doing some web caching won’t be as busy as one that’s involved with web caching, intense logging, IP packet filtering, and other typical ISA duties. Keep in mind that all of these things can be spread out among array members, but here we’re merely considering one box. For any kind of non-T-carrier connection (ISDN, DSL circuit, cable modem) that runs at less than 10 megabits per second (Mbps) you can safely run any processor above a Pentium II 300 megahertz (MHz)-class CPU. (You can’t buy one today, but that’s another story.) For a T1–T3 (E1–E3 in Europe), OC-1, or DS3 connection running anywhere between 10Mbps and 50Mbps, you should consider, at a minimum, a Pentium III 550MHz or higher. For speeds higher than that (OC-3 running at 155Mbps, for example) you should consider a Pentium III 550 MHz with an additional processor for each bump beyond 50Mbps. So, for a dedicated OC-3 pipe to your ISP, you’d consider a quad-Pentium III 550MHz or greater for your ISA Server. ISA, by virtue of tagging onto Windows 2000 Server, is symmetric multiprocessor (SMP)–aware, so you won’t have a problem with it recognizing and working with up to four processors.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
42
Chapter 2
■
ISA Server 2000 Installation
Windows 2000 Server supports up to four processors, Windows 2000 Advanced Server supports up to eight, and Windows 2000 DataCenter Server supports up to 32. However, ISA Standard Edition will not install on a computer with more than four processors. ISA Enterprise Edition will utilize the full 32 processors of a DataCenter Server. Only Enterprise Edition can be installed as an array.
Memory Because ISA runs quite a bit of its activities in memory (NAT tables, URL caches, etc.), RAM is everything to your server design. There is a set Microsoft minimum recommended amount of RAM for ISA Server: 256MB. I can just about guarantee you that if you try running a production ISA box with this little bit of memory, you’ll find your computer is a “pooch,” meaning that it’s lazy and slow. (Remember that you also have the Windows 2000 Server overhead tagged onto the ISA Server needs.) Realistic RAM minimums are 256MB for an ISA Server in a smallish environment (less than 1000 nodes). For over 1000 nodes, consider adding additional increments of RAM. An optional recommendation to consider is 256MB for each 2000 users over the first 1000. That said, in today’s server economy where margins are low and bargains are high, I would not hesitate to order a production ISA Server containing a gigabyte of RAM for a 1000-node office—more for a larger office. For a 500-node office, order your production ISA Server with 512MB–1GB of RAM.
Disk Space There are two things that you’ll be storing in heavy disk quantities on your ISA Server: cache and logs. The cache is set up so that you declare one size and that size is fully utilized by ISA Server (meaning that it doesn’t dynamically resize the file as the cache size increases). It turns out that by avoiding the dynamic resize issue, you can save processor cycles. You have to look at the number of nodes you’re supporting in order to figure out how much disk space you need to allocate for your cache. It’s difficult to determine how much cache space to allocate because not all users are created equal. Some will be highly robust in their Internet
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Preconfiguring Network Interfaces 43
enjoyment, while others will be basic surfers. For the test, you should remember that Microsoft recommends 2–4GB of disk space for up to 500 users, 10GB for 500–1000 users, and an additional 10GB for every 2000 users you add to the system.
For the test, remember that Microsoft uses the formula of 100MB plus 0.5MB for each user supported, rounded to the nearest whole MB. For real deployments, ignore that formula and use the recommendations listed above.
You should consider doubling or tripling these numbers for a real-life production scenario. For deployments in which you’re planning to perform a limited amount of logging (for such things as IP packet filtering and Web Proxy), you should plan on at least 1GB of space dedicated to the logs. It may not be a bad idea to consider partitioning your ISA computer in such a way that the OS lives on one partition, the ISA program files on another, the cache on another, and the logs on another. Consider putting the cache and logs on completely separate physical disks, not just partitions. The cache must be located on an NTFS partition. If you’re still putting things on FAT, can we talk? With ISA Server Enterprise Edition, you can install ISA Server on multiple computers, each of which can become a member of the same ISA array and can fulfill various duties. This will help you facilitate large deployments that have many users and needs within a single array design. The caveat with this is that there’s a pretty large jump in price from ISA Standard to ISA Enterprise. In either the Standard or Enterprise pricing scenario, you pay by the CPU. The retail price for ISA Standard is around $1500 per CPU, while ISA Enterprise is $6000 per CPU ($3000 per CPU if you’re upgrading from an older firewall product). Keep this in mind as you size your ISA Server and ask the question, “Is this such a large enterprise that I have to go with a full ISA Server array, or can I get by with one reasonably well-engineered server?” With the above sizing recommendations in mind, you should have a somewhat better understanding of the caliber of computer you’ll be using for your foray into enterprise-class firewalling. You should not consider
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
44
Chapter 2
■
ISA Server 2000 Installation
installing ISA Server on a workstation-class computer running a Pentium II 450 with 128MB of RAM. You won’t like the performance and neither will your users. Take this box seriously. Buy a good-quality computer from a Tier-1 vendor, and over-engineer the computer with more CPU, RAM, and disk than you think you’ll need. You will not be sorry you did.
Verifying Network Connectivity ISA Server utilizes two connections, or interfaces: an internal interface and an external interface. This singular concept is the very foundation upon which ISA is built. Information comes in from an external source and is passed to an internal destination or vice-versa. Typically, the internal interface is a network interface card (NIC) that’s connected to the internal network or at least has a network ID and associated IP address different from those of the external interface. The external interface can take a variety of forms: ■
Phone line interface for dial-up connection
■
NIC connected to a perimeter network
■
Direct connection to the Internet (typically through a router connection)
These three different connection methodologies are shown in Figure 2.1. FIGURE 2.1
External interface connections
ISP
Internet
ISP
Internet
ISP
Internet
Dial-up connection
ISA Server
RI
Switch
Router
1
2
3
4
5
6
7
8
RO
Demarc
ISA Server
ISA Server
DSL, cable modem, ISDN
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Preconfiguring Network Interfaces 45
The top segment of Figure 2.1 shows a dial-up connection to the ISP via a regular telephone line (plain old telephone service, or POTS). The other side would have some sort of device that could receive your phone call, accept your logon credentials, log your session on, and get you to the Internet. The middle layout shows a typical corporate setup consisting of some sort of WAN connection coming in from your circuit provider (usually called a carrier). Typically, these circuits terminate at the demarc (demarcation point—also sometimes written as d-mark) in your building, and in turn a cable goes from the demarc to a router. A cable from the router plugs into a switch or hub, which in turn can feed any devices. This is just one layout—there are others that are similar to this basic concept.
Note that the speed of the circuit between your ISP and the demarc does not necessarily correspond to the speed with which your router talks to the network. These are two separate speeds. The connection to your ISP may move at a T1 speed (1.544Mbps) while your internal router-to-switch connection moves at 100Mbps.
The bottom layout shows a situation where you’re connecting to your ISP by cable modem, ISDN, or DSL. In cases such as this, you need some sort of external or internal device that is able to send the signal to the carrier. Note that the carrier may or may not be your ISP, but they are able to send your data to your ISP if they are not directly hosting you on the Internet. In all of these situations, the common element is the fact that you can ultimately connect to the Internet, although the speed with which you connect may vary markedly, with dial-up being the slowest and the middle design having the potential for being the fastest.
Networks That Are Internal to the DMZ You may or may not be responsible for your company’s connection to the Internet. Larger companies break their operations out into several specialty groups: One might handle the internetworking aspects of the company— the routers, switches, hubs, and associated cabling in the Intermediate Data Facility (IDF) and Main Data Facility (MDF). Another group might handle the DMZ perimeter network, including the web servers (there
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
46
Chapter 2
■
ISA Server 2000 Installation
could even be a spin-off group that strictly handles the web servers). Still another might be responsible for the internal server farms and so forth. So determining exactly what your Internet connection is and who’s responsible for it may be a problem. Some large enterprises have internal heterogeneous LANs with LAN administrators who don’t talk to one another and who are responsible for hundreds or thousands of users apiece. In circumstances like this, it’s highly possible that an administrator would install an ISA Server whose function was simply to protect its users, with no regard to other LANs in the enterprise. It’s even possible that an internal network such as this might have several campuses to be concerned about, along with routers and some sort of connectivity between buildings. In cases like this, the ISA Server’s external interface simply points to the default gateway of the company’s main firewall in order to get out the door. While we’re on the subject of routers, we need to point out that if you’re in an environment that involves several routed subnets, there’s a client issue you’ll have to deal with. The SecureNAT client won’t work for subnets that must traverse a router in order to find the gateway—that is, until you or whoever is in charge of the routers makes an entry that points all references to a default gateway to the ISA Server. Figure 2.2 shows this setup. You can bypass this requirement in one of two ways: ■
■
FIGURE 2.2
Install the Firewall client on all the client computers Install an ISA Server array member on each subnet and then use a routing rule to point to the primary ISA box, as shown in Figure 2.3
Multiple subnet clients connecting to an ISA Server through a router
xxx.yyy.80.zzz subnet
xxx.yyy.90.zzz subnet Router
Clients
Router must have a forwarding rule that points the 80 subnet’s default gateway to the internal interface of the ISA box.
ISA Server array member Internet
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Preconfiguring Network Interfaces 47
FIGURE 2.3
Multiple subnet clients connecting to an ISA Server array member
xxx.yyy.80.zzz subnet
xxx.yyy.90.zzz subnet
Clients
ISA Server array member
ISA Server array member Internet
The SecureNAT client does not resolve the ISA Server’s name for you. You’ll have to have your ISA Servers correctly keyed into the DNS servers (and WINS for non-DNS clients) in order to resolve the host’s name to an IP address.
ISA on the DMZ So far, we’ve talked about ISA Server as the perimeter or edge device that receives internal web requests and shoots your users out onto the Internet, NAT-ting then in the process—but only in the case of the SecureNAT client, that is. Other clients utilizing regular proxy-style operations under ISA utilize ISA to fetch the data on their behalf. The client never leaves the building. The client is serviced from ISA’s cache once the data is returned. But what about your web servers? What protects them? It turns out that you can install an ISA Server in front of the web servers so that the ISA Servers stand like sentries in front of even the servers on the DMZ, occasionally referred to as a perimeter network. Figure 2.4 shows this scenario.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
48
Chapter 2
■
ISA Server 2000 Installation
FIGURE 2.4
ISA sentries in front of web servers on the DMZ
Internal network
DMZ ISA Server(s) Web server Web server Web server Internet
In the figure, you can see that the ISA Server would have to contain three interfaces: one that points to the DMZ and the other two for internal and external interfaces. This T-shaped scenario is very common throughout the corporate world. There’s another methodology as well, one that involves putting two or more ISA boxes to work both in front and in back of the DMZ, as shown in Figure 2.5. FIGURE 2.5
ISA sentries in front and back of the web servers on the DMZ
Internal network
Internal ISA Server(s)
DMZ
External ISA Server(s)
Web server Web server Web server
Internet
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Preconfiguring Network Interfaces 49
In this scenario, internal users would have to contact the internal ISA Server, which would then forward requests to the external server and route the users out onto the Internet. Internet users surfing into the corporate website would pass through the ISA Server (provided they were using the correct protocols) and go no further. You might conceivably need to set up ISA arrays in large DMZs in order to adequately handle voluminous traffic or else provide large servers for the operation. Still, I think you’ll find that if you investigate the complete ISA solution versus the hardware competition, you’ll discover not only a huge cost savings potential but also much more granularity over the control you have with the system.
DNS Issues Because Windows 2000 uses DNS for its name-resolution activities, your ISA Server installation will resort to DNS when it needs to resolve a hostname. This is a really key point in the ISA world because your ISA Server will be dealing with the Internet and therefore will require name-server resolution that scales to the entire Web. People need to find the ISA Server whether they’re inside or outside, and so DNS setup is very important. On the internal network, you’ll want to make sure that there’s a DNS entry for each ISA computer you’re running. An Address (A) record is all that’s needed. For NetBIOS (Windows 9x, Me, and, potentially, NT clients), you’ll also probably want to make sure that the server(s) appear in WINS. For the external network, you’ll want to make sure that your ISP keys in the new server address(es) if they’re hosting the DNS servers, or you’ll want to take care of the entries yourself if you’re hosting the DNS servers. In either case, make sure that the names are completely resolvable throughout the internal enterprise and from the Internet. Remember that the IP packet filters that initially install with ISA take care of ICMP (ping) attacks.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
50
Chapter 2
■
ISA Server 2000 Installation
Should Your Small Company Use a Cable Modem As Opposed to a T1 Circuit? There’s some room for argument room here. A cable modem can, theoretically, provide much higher speeds than a T1 carrier. At my house, I have a cable modem and I’ve seen speeds that would equal almost three T1 circuits (a little over 6Mbps)! The problem is that the speed is intermittent. You never know just what you’re going to get with cable modem. In most cases, you’ll wind up operating much faster than a DSL circuit —and usually a T1 as well. But the risk you take is when others in the neighborhood also procure a cable modem and are hooked into the same equipment as you are. Then you must share that big pot of bandwidth and it slows down a little for you. On the other hand, you have a problem with T1 Frame Relay circuits— and that’s the issue of Committed Information Rate (CIR). You purchase a set bandwidth and pay a monthly fee for that bandwidth. But you’re also given a ceiling that you can periodically exceed. If, for example, you purchase a 712KB Frame Relay circuit and you agree that you’ll only infrequently burst over that amount of bandwidth, then you’re in good shape because you’re likely not to have packets discarded when you only minimally go over the edge. That’s your CIR—712KB. Realize, however, that if you go over that amount, then anything that goes over is considered discard eligible and can be thrown away, which means the computer sending the packets in the first place doesn’t get an acknowledgment that the packet was delivered and has to go through the whole process again, thus further bogging down the system. You’re fine with Frame Relay circuits as long as you don’t get cheap and set the CIR too low. I worked for a company once where the CIR was set at 0! Anything over zero packets was considered discard eligible. That’s fine, as long as you’re hooked up with a company that doesn’t over-provision the circuits they have to offer (not likely). But in most cases, telecommunications providers are interested in getting
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 51
the most bang for the buck and so they go out of their way to make sure all circuits are usually loaded—a killer scenario for low-CIR corporations. Moral of the story? Small companies can easily get by with cable modems—the speed is every bit as good as T1 Frame Relay, if not better, and the cost is about the same. But beyond the 50–100-user mark, you’re ready for good old Frame Relay or comparable service. Keep in mind that cable modems are intended for Internet, intranet, and extranet service.
Installing ISA Server
I
nstalling ISA Server, even in an array environment, is very easy to do. Microsoft has made the installation of ISA Server fast and with only a minimum of administrator intervention.
Install ISA Server. Installation modes include integrated, firewall, and cache. ■
Construct and modify the local address table (LAT).
■
Calculate the size of the cache and configure it.
■
Install an ISA Server computer as a member of an array.
Installing ISA Server is a very simple procedure. You start with a Windows 2000 Server or Advanced Server running Service Pack 1 (SP1) or a DataCenter Server on an adequately engineered hardware platform that complies with the Microsoft Hardware Compatibility List (HCL). After Windows 2000 Server is installed, you run the ISA Server installation. If you intend to install an ISA Server array, you’ll have to purchase an ISA Server enterprise license for all processors in each computer that’s going to be involved in the array. If you’re going to run only stand-alone installations of ISA Server, you can purchase the Standard Edition license for all processors in each stand-alone computer that you’re setting up.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
52
Chapter 2
■
ISA Server 2000 Installation
There’s a slight difference in the way that you install the first array member and each subsequent array member, but the deviation is only minor compared to the stand-alone installation. Chapter 5 discusses ISA arrays in much more detail than we’ll discuss in this section. Before you begin, you need to figure out what kind of ISA installation you’re going to be doing. There are three different flavors of ISA installation: Cache mode Use this installation method if the ISA Server you’re creating is to be used only for URL caching. You could use this mode for ISA Servers that will be connected to the internal network. You can also use this mode when you have an installation with one leg in the internal network and one leg in the DMZ, as long as the cache mode server is protected by a firewall. Firewall mode Select this method if you won’t be doing any caching or other server application work, but you’ll be using the computer strictly as a firewall. You’ll dedicate this computer as a DMZ firewall. This is the server that can interface with both the DMZ and the internal network. You may hear this kind of server installation referred to as an edge device, edge server, or bastion host, meaning that it works on the edge of the network. Integrated Utilize this method if you’re interested in using the ISA Server as both a firewall and a cache server or if the server will be running other applications in addition to ISA. Avoid using this installation on the edge of the network, as it is not the most protected of the three installation types. Let’s utilize Exercise 2.1 to install the stand-alone version of ISA. In this exercise you’ll need to have a Windows 2000 Server SP1 computer ready to go. We’ll be installing in integrated mode. EXERCISE 2.1
A Basic ISA Stand-Alone Installation 1. Begin by inserting the ISA Server CD and clicking the Install ISA Server button.
2. You’re presented with the copyright and licensing information window. Assent by clicking Continue.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 53
EXERCISE 2.1 (continued)
3. Next, you’re presented with the End User License Agreement (EULA). Read the agreement, and then click the I Agree button.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
54
Chapter 2
■
ISA Server 2000 Installation
EXERCISE 2.1 (continued)
4. In the installation window, you’re asked if you’d like to perform a Typical, Custom, or Full Installation. You’re also given the path to where ISA Server will install itself. Verify the path or change it if necessary, and then click Full Installation.
5. Now you’re asked to select the installation mode. Note that the default is Integrated Mode. An explanation of each mode is given next to its radio button. Accept the default and click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 55
EXERCISE 2.1 (continued)
6. ISA Setup notifies you that it has stopped your IIS publishing service temporarily. Click OK.
7. Now you’re presented with an incredibly important window. You have to select the drive that you want to install the cache file on and tell ISA what size to make the file. In a production environment, it would be advisable to dedicate a drive to the cache and to use the sizing information listed previously in this chapter to adequately size the cache. The 100MB suggested size is normally not adequate, but it will do for our exercise purposes. Select your drive and cache size, and then click OK.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
56
Chapter 2
■
ISA Server 2000 Installation
EXERCISE 2.1 (continued)
8. Next, you’re presented with an equally important window, where you construct the local address table.
If you simply click the Construct Table button, ISA will add the subnet that your internal interface is using along with the reserved IP address ranges. How does it know which interface is internal? The Setup program prompts you with the selection of interfaces and allows you to choose one. Click Construct Table, select your internal interface, and then click OK. The local address table is the heart and soul of ISA’s TCP/IP subnetting capabilities. Miskey the LAT—i.e., leave something out or add something you shouldn’t—and you’ll have some problems that may be hard to diagnose.
9. You’re then presented with a message telling you what kind of LAT was constructed. Click OK.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 57
EXERCISE 2.1 (continued)
10. The window for constructing a LAT reappears, this time populated with your LAT. Note that you could have simply keyed in the subnets that you desired to be included in the LAT. You can also add subnets at this time if you wish. Click OK.
11. Next, you’re told that ISA is stopping relevant services.
12. You’ll then see an installation progress meter.
13. When Setup is almost finished, you’re asked if you’d like to immediately launch the ISA Server Management console. Note that the Start The ISA Server Getting Started Wizard check box is enabled by
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
58
Chapter 2
■
ISA Server 2000 Installation
EXERCISE 2.1 (continued)
default—when the Management console starts, it will position you at the Getting Started Wizard. Leave the wizard check box checked and click OK.
14. Setup will continue, adding registry keys, registering Component Object Model (COM) objects, and restarting the services it previously stopped. Finally, you’re notified that the installation was successful. Click OK to conclude the installation.
Well, there’s not much to that now, is there? If you’ve done a bit of preinstallation design work, especially paying attention to the size of your cache, the installation will go quite well. Next, we’ll take a look at the Management console and the Getting Started Wizard.
The Getting Started Wizard Several years ago, Microsoft declared that a strategic direction for the company would be to move toward a more administrator-friendly environment in which complicated tasks could be done through wizards. Microsoft may be a lot of things, but one thing the company does is live up to its strategic goals (whether they buy the technology or develop it inhouse). The wizards are a part of that environment and have been heavily
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 59
refined throughout the years. When I first got started with the wizards, I thought they were okay but largely unnecessary. Now I think I couldn’t live without them, especially with a huge product like ISA Server and all of the rules that you have to configure. Essentially what Microsoft has done with the Getting Started Wizard is to linearly group all of the steps you need to take in order to correctly configure your ISA Server. Note that you still need to know something about what ISA Server does and what it’s requiring within a given wizard step. Running through the wizard simply logically navigates you through your initial ISA Server configuration without having to surf around to find the area that you need to configure next. So, that being said, let’s go through this wizard, one screen at a time, and see if we can figure out what’s up with each section. We start with the Welcome section, shown in Figure 2.6. This section of the wizard simply gives you a bit of welcome text. But what you need to note from this first screen are the Help, Next, and Finish buttons at the bottom of the screen. Even though you’re within a Microsoft Management Console (MMC), these buttons have a very distinctive web page feel to them—i.e., they’ll underline themselves as you point to them so you know you’ve actually selected the button. Click Next to continue. FIGURE 2.6
The Welcome banner of the ISA Getting Started Wizard
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
60
Chapter 2
■
ISA Server 2000 Installation
The next section is called the Select Policy Elements section, shown in Figure 2.7. There are many things that you can set up while here: the server’s schedules, destination sets, user groups, and protocols. Note the Select Policy Elements icon near the bottom of the page. Click it, and you’re presented with a box, shown in Figure 2.8, that allows you to check and uncheck the criteria that you want to configure right away. FIGURE 2.7
The Select Policy Elements section of the ISA Getting Started Wizard
FIGURE 2.8
Various criteria you can configure through Select Policy Elements
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 61
Click Next to move to the Configure Schedules section of the wizard, as shown in Figure 2.9. Note that by default there are two schedules: Weekends and Work Hours. You can double-click either rule to edit the schedules, or you can click the Create A Schedule icon to create a new schedule. When editing a rule, you can change the rule’s name, add a description, or change its times. You might need to edit the Work Hours schedule because the default is 8:30 A.M. to 4:30 P.M., Monday through Friday, probably not an accurate representation of your company’s actual working hours. FIGURE 2.9
The Configure Schedules section of the ISA Getting Started Wizard
Click Next to move down to the Client Sets section of the wizard. A client set is a grouping of computers by IP address. You’ll find client sets handy if you’re applying specific rules to a given set of client computers. Figure 2.10 shows the wizard screen, and Figure 2.11 shows the Client Set configuration dialog box. Note that, by default, there are no client sets created.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
62
Chapter 2
■
ISA Server 2000 Installation
FIGURE 2.10
The Client Sets section of the ISA Getting Started Wizard
FIGURE 2.11
The Client Set dialog box
Click Next to reach the all-important Configure Protocol Rules section of the wizard, shown in Figure 2.12. Within this section are two different wizards that you can run. By clicking the Create A Protocol Rule For Internet Access icon, a screen of which is shown in Figure 2.13, you can
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 63
set up a rule that allows the protocols needed for outbound Internet access. Note that by setting up this rule, you have not yet granted users the ability to access the Web. There is more to it than that—this is just one wizard in a series of three that are required to simply open up ISA and get it going. You can also click the Create A Protocol Rule icon to run a wizard that allows you to set up inbound or outbound access or deny rules for any of the schedules that you have set up. FIGURE 2.12
The Configure Protocol Rules section of the ISA Getting Started Wizard
FIGURE 2.13
The second screen of the Create A Protocol Rule For Internet Access Wizard
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
64
Chapter 2
■
ISA Server 2000 Installation
Note that you could navigate through the ISA Management console to access these same wizards without first going through the Getting Started Wizard.
Click Next to advance through the Getting Started Wizard, and you arrive at the Configure Destination Sets section. Destination sets are interesting because they’re not always used for what you might suspect—that is, setting up Internet destinations that users are allowed to go through. You can provide even more granular control to destination sets by tying them to specific client sets as well. You’ll also use destination sets when you start getting into web and server publishing (discussed in Chapter 3). Figure 2.14 shows the Configure Destination Sets section of the Getting Started Wizard. Click the Create A Destination Set icon to run a wizard that will set up a destination set for you. FIGURE 2.14
The Configure Destination Sets section of the ISA Getting Started Wizard
The next section of the wizard is the Configure Site And Content Rules section, shown in Figure 2.15. A site and content rule controls the content that users are allowed to see with a given destination set. (Note that there
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 65
is an All Destinations destination set that you can use even if you have not created a specific destination set. You can apply a site and content rule to a specific client set or to specific users and groups as well, so there’s tremendous flexibility within this rule. It’s important to understand that a site and content rule really can’t take the place of web-filtering software if you’re interested in keeping your users away from undesirable sites but you’re granting them carte blanche surfing otherwise. For a poor person’s web-filtering component, you could, I suppose, set up a site and content rule that allowed only a select set of URLs for a given client set. That’s entirely appropriate in certain cases, but it just won’t do in most. FIGURE 2.15
The Configure Site And Content Rules section of the ISA Getting Started Wizard
Navigating still, you arrive at the Secure Server component of the Getting Started Wizard, as shown in Figure 2.16. Secure Server is your opportunity to set the security level of the ISA Server. Click the Secure Your ISA Computer icon, and you will be immediately prompted that there’s no turning back from the settings you select when you run this wizard, as shown in Figure 2.17.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
66
Chapter 2
■
ISA Server 2000 Installation
FIGURE 2.16
The Secure Server section of the ISA Getting Started Wizard
Next you’re presented with the three options, Dedicated, Limited Services, and Secure, as shown in Figure 2.18. You’d use Dedicated for those cases in which you’re running ISA as a dedicated stand-alone firewall server. You’d select Limited Services if you were running ISA on a domain controller (DC) or as an infrastructure server (perhaps as a member of an ISA array, for example). Limited Services is a good choice if you’re running an ISA box that has been installed in integrated mode. You’d select Secure if the ISA computer is concurrently running databases or other applications. Once you’ve made your selection, click Finish to conclude the wizard and return to the Getting Started Wizard.
You’ll be presented with a dialog box that might make you think the Server Security Configuration Wizard is a one-time only deal—perhaps frightening you into thinking that you cannot rerun it. The warning, in reality, is there to warn you that succeeding changes are not logged and hence are not privy to being undone.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 67
FIGURE 2.17
The ISA Server Security Configuration Wizard warning
FIGURE 2.18
The ISA Server Security Configuration Wizard options
The next section of the Getting Started Wizard is the Configuring Firewall Protection section, as shown in Figure 2.19. This section is aptly named because it is here that you’ll enable IP packet filters and set up Intrusion Detection settings, thus protecting the ISA Server itself from onslaught. (We talked about both in Chapter 1.) Click the Configure Packet Filtering And Intrusion Detection icon to bring up the IP Packet Filters Properties sheet that these two components utilize, as shown in Figure 2.20. Note that IP packet filtering is enabled. Even if you’ve not yet configured any IP packet filters, note that there are some created at ISA Server installation time—predominantly filters that center around ICMP (ping).
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
68
Chapter 2
■
ISA Server 2000 Installation
FIGURE 2.19
The Configuring Firewall Protection section of the ISA Getting Started Wizard
FIGURE 2.20
The General tab of the IP Packet Filters Properties sheet
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 69
The next step of the wizard is the Configure Dial-Up Entries screen, as shown in Figure 2.21. If you have a modem or X.25 connection, you can use Windows 2000’s Routing and Remote Access Service (RRAS) to dial up a connection, whether it’s a connection to another ISA Server or a connection to the Internet. Note that this section of the wizard contains the Configure A Dial-Up Connection icon, which pulls up a window not associated with ISA Server, the Network And Dial-Up Connections section of Windows 2000, as shown in Figure 2.22. You can directly key in the new phonebook entry by clicking this icon and then create a dial-up entry within ISA Server by clicking the Create A Dial-Up Entry icon. FIGURE 2.21
The Configure Dial-Up Entries section of the ISA Getting Started Wizard
Navigating downward through the Getting Started Wizard, you arrive at the Configure Routing For Firewall And SecureNAT Clients section of the wizard, as shown in Figure 2.23. This is where you configure firewall
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
70
Chapter 2
■
ISA Server 2000 Installation
FIGURE 2.22
The Network And Dial-Up Connections window, called from the Getting Started Wizard, Configure Dial-Up Entries section
FIGURE 2.23
The Configure Routing For Firewall And SecureNAT Clients section of the ISA Getting Started Wizard
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 71
chaining, i.e., the forwarding of client requests to another ISA Server, by clicking the Configure Firewall Routing icon to bring up the Network Configuration Properties sheet shown in Figure 2.24. ISA Servers that receive these requests are called upstream servers. FIGURE 2.24
The Network Configuration Properties sheet
You’ve almost completed the Getting Started Wizard. The next screen is the Configure Routing For Web Browser Applications section, shown in Figure 2.25. Click the Configure A Routing Rule For Web Browser Applications icon to bring up the Default Rule Properties dialog box, which allows you to forward content to an upstream server, set up caching, perform bridging (bridging is discussed in Chapter 3), and so forth. Note that there is a single default rule whose sole purpose is to extract the requested content from the actual destination site, as shown in Figure 2.26. Finally, you arrive at the Configure Cache Policy section of the wizard, as shown in Figure 2.27. Here you can click the Configure Cache Policy icon to bring up the Cache Configuration Properties dialog box; the HTTP tab is shown in Figure 2.28. Within this dialog box, you can set up active caching, set Time To Live (TTL), and configure other settings.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
72
Chapter 2
■
ISA Server 2000 Installation
FIGURE 2.25
The Configure Routing For Web Browser Applications section of the ISA Getting Started Wizard
FIGURE 2.26
The Action tab of the Default Rule Properties dialog box
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 73
FIGURE 2.27
The Configure Cache Policy section of the Getting Started Wizard
FIGURE 2.28
The HTTP tab of the Cache Configuration Properties dialog box
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
74
Chapter 2
■
ISA Server 2000 Installation
We’ve now walked you through the Getting Started Wizard. Any time you’d like to run the wizard after you’ve closed it, simply navigate to the Internet Security And Acceleration Server node of the ISA Management console and click the Getting Started Wizard icon. There’s one last thing we should point out before concluding this section. As you’re navigating through the ISA Management console, you can turn the icons off. At the top of the ISA Management console, under the View menu, simply choose Advanced instead of Taskpad, and the icons will go away. The default view is Taskpad. Figure 2.29 shows the Taskpad view, and Figure 2.30 shows the Advanced view. FIGURE 2.29
Taskpad view
Installing ISA As a Member of an Array We’ll cover arrays in far more detail in Chapter 5. But there are some points that need to be made within this chapter relative to the installation of ISA Server in an array. You gain several benefits from running ISA Server in an array: ■
You can create enterprise policies and allow them to flow down to downstream ISA Servers. You can set up enterprise policies so that downstream ISA administrators are either forced to utilize
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 75
FIGURE 2.30
Advanced view
them or can modify them as they see fit. In the former case, admins can add more enterprise rules to the set already in place but cannot take away any rules. Keep in mind that Allow policies are not possible in arrays that have enterprise rules in effect—only Deny policies. In other words, if you’ve set up a set of enterprise policies (that may conceivably consist of Allow and Deny rules), then admins who are formulating local array policies are not able to create Allow rules. It would defeat the purpose of the enterprise policies if John, a local admin, were able to override enterprise policies you had put in place in order to allow Sarah to visit a site your rules would not allow her to go to. ■
■
You can set up URL caching in a hierarchical fashion. For example, if a user in Campus B requests a URL, the ISA Server in Campus B is checked first and, if it is not found, then the main ISA Server in Campus A is checked. You can set up elaborate chaining of firewall rules and forward specific requests to upstream servers for rule evaluation.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
76
Chapter 2
■
ISA Server 2000 Installation
For ISA to be utilized in an array, Active Directory must be installed and running on the network. Your first ISA Server installation will require that you extend the AD schema—a task that’s not to be taken lightly in a production environment. You should develop a test root specifically for the purposes of testing such extensions before you go forward and extend a production schema. You should also back up the production servers before extending the schema.
After extending the schema, you then go forward with your first ISA Server installation, giving the array a name, resulting in an array that other array members can join when they are installed. As you install more array members, the AD schema no longer needs to be extended: You simply connote the array that members will join. Schema extension requires that the account you’re using be a member of the Domain Administrators group and the Schema Admins group as well as a member of the Local Administrators group on the computer.
Note that only members of the Enterprise Admins group can make or modify enterprise policy. A domain admin could only accept the default enterprise policy.
You can promote a stand-alone ISA Server installation to an array installation very quickly and easily, provided it’s hooked into a Windows 2000 network and you’re working with the Enterprise Edition of ISA Server. Just follow these steps: 1. First, in the ISA Management console, right-click the server name
and select Backup. Back up the server’s configuration to a file on disk. 2. Next, run the enterprise initialization either by inserting the ISA
Server CD and selecting Run ISA Server Enterprise Initialization or by running msisaent.exe from the i386 directory of the installation files. This will extend the AD schema. 3. Next, go back to the ISA Management console, right-click the server
name, and select Promote; then run through the configuration screens outlined in Chapter 5.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installing ISA Server 77
Part of the configuration that you’ll go through when setting up your first array server is to decide how the enterprise and array policies will be set up. You have several choices: Use Array Policy Only This means that local ISA admins will be allowed to create their own array policies for the server they manage. Although an enterprise policy gets created, it’s not put into effect (something you can do later on if you so desire). Use This Enterprise Policy If you set up an enterprise policy and do not check the Also Allow Array Policy check box, then local admins will not be able to configure array policies. Any array policies currently in place will be overwritten by the enterprise policy—meaning that you should back up any old configurations prior to implementing an enterprise policy. Allow Array-Level Access Policy Rules That Restrict Enterprise Policy In this case, you’ve created an enterprise policy, but you’re also going to allow local admins to create their own more-restrictive array policies. Local admins cannot create policies that override or loosen your enterprise policies. Allow Publishing Rules There’s a minor “gotcha” associated with this check box. If you don’t check it, then publishing rules are not allowed anywhere in the array. If you do check it, then you must consider your publishing design carefully. Because published servers have different IP addresses, you can set up one ISA array member to listen for requests on one IP address and another ISA array member to listen for a different IP address for another published server. You must do this on a server-by-server basis, which requires some thought and design on the part of admins who have large ISA implementations with published servers throughout the enterprise. Force Packet Filtering On The Array This option forces packet filtering on every server in the array and cannot be overwritten by array policies. Setting up an ISA Server array is a simple thing to do—extend the schema and install your ISA Servers. However, designing the array for optimum performance in an enterprise environment will require some forethought and, no doubt, tweaking at deployment time.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
78
Chapter 2
■
ISA Server 2000 Installation
ISA Server in an Array You should know that you’re going to use several ISA Servers in an array prior to your actual deployment. Why? Well, first of all, you should know that ISA Server Enterprise Edition is a much more expensive product than ISA Server Standard Edition. But more important than that, ISA Server Enterprise Edition requires you to extend the Active Directory (AD) schema—provided, that is, that you want to use ISA in an array. If your intent is to merely utilize it as a stand-alone installation, then you don’t have to extend the schema. In fact, there’s a separate section of the initial installation banner that allows you to prepare the schema for ISA. Can you leverage stand-alone installations of ISA Server? Certainly, but you’ll lose the interoperational characteristics of ISA functioning in an array. For example, perhaps you anticipate massive numbers of hits on just a few websites by your internal users. Caching would be handy, but in a large enterprise with thousands or tens of thousands of users, perhaps you’d overload your ISA Server by allowing it to NAT and perform web caching. So, you design a separate ISA caching server to handle the caching load. Stand-alone installations wouldn’t allow the integration of the two servers—but an array installation would. It’s advisable to sit down with pencil and paper (okay—stylus, pocket PC, and Visio) and really diagram out the various flows that you think your system will use. Try to estimate what kind of loading impact the servers will undergo, and then make a decision about a stand-alone or array installation.
Upgrading from Microsoft Proxy Server 2.0
S
uppose that you have an older Microsoft Proxy Server 2.0 installation and you want to upgrade it to ISA Server. What are the steps involved and how do you go about getting the server upgraded? This is the topic of discussion in this section.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Upgrading from Microsoft Proxy Server 2.0 79
Upgrade a Microsoft Proxy 2.0 Server computer to ISA Server. Back up the Proxy 2.0 Server configuration.
■
You must first understand that there are several things to consider when formulating your upgrade decisions: ■
You can chain MS Proxy Server 2.0 and ISA Servers together.
■
ISA Server does not support the IPX protocol; MS Proxy Server does.
■
■
■
■
MS Proxy Server cannot run on Windows 2000 Server computers without a lot of pain on your part. The NT 4.0 computer that MS Proxy Server is running on must be upgraded to Windows 2000 Server, SP1. Once you’ve started the upgrade process, there is no automatic method for going back should you decide to undo your upgrade. You cannot upgrade from MS Proxy Server 1.0, Microsoft BackOffice 4.0, or Microsoft Small Business Server. You cannot install ISA Standard Edition on an MS Proxy Server upgrade computer and have ISA be an array member. You must use ISA Enterprise Edition when you want the server to be an array member.
Performing the Upgrade Upgrading your MS Proxy Server 2.0 installation to ISA Server is very straightforward. Following are the steps that you’ll go through when performing such an upgrade process: 1. From the MS Proxy Server 2.0 computer, back up your MS Proxy
configuration. Open the MS Proxy Server 2.0 Internet Service Manager, shown in Figure 2.31, and double-click any of the servers shown there.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
80
Chapter 2
■
ISA Server 2000 Installation
FIGURE 2.31
The MS Proxy Server 2.0 IIS Manager interface
2. When the Properties sheet comes up, shown in Figure 2.32, click the
Server Backup button. FIGURE 2.32
One of the MS Proxy Server 2.0 Properties sheets
3. In the Backup window, specify the path you want to back up to, as
shown in Figure 2.33, and then click OK. Note that the backup filename will begin with MSP, followed by the year, month, and day of the backup, and then an MCP extension (e.g., MSP20000701.MCP). You can save this file elsewhere for safekeeping if you so desire.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Upgrading from Microsoft Proxy Server 2.0 81
FIGURE 2.33
The MS Proxy Server 2.0 Backup window
4. Next, close the Internet Service Manager window and then stop and
disable the following services on the MS Proxy Server 2.0 computer: wspsrv, mspadmin, mailalrt, and w3svc. 5. Now you’re free to commence your upgrade to Windows 2000. You’ll
be prompted that Windows 2000 has found MS Proxy Server 2.0 and that it is not compatible with Windows 2000, as shown in Figure 2.34. If the Proxy Server is a member of an array, you must remove it from the array before proceeding. FIGURE 2.34
MS Proxy Server 2.0 is incompatible with Windows 2000.
6. Disconnect the computer’s Internet interface while you install
ISA Server.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
82
Chapter 2
■
ISA Server 2000 Installation
7. Install ISA Server. 8. Reconnect the Internet interface, configure the rules, and test the
configuration. Finally, there are some additional technical things to keep in mind when planning your upgrade: Server Publishing In MS Proxy Server 2.0, you could publish servers (Exchange begin the most typical server-publishing effort that was made), but you had to configure the server as a Winsock proxy client and configure the wspcfg.ini file to go along with the application. You’ll want to revisit any publishing that you were doing under the Proxy Server genre and consider changing to the ISA Server format, which uses SecureNAT as a client and does not require wspcfg.ini— saving much troubleshooting time and grief in the long run. Port 8080 Requirements MS Proxy Server 2.0 listened on port 80, but ISA Server listens on port 8080. Therefore, any downstream MS Proxy Server installations that you’re going to keep in the chain must be reconfigured to listen on port 8080 instead. Chaining If the ISA Server is the downstream server, then Web Proxy and firewall chaining are supported. If MS Proxy Server 2.0 is the downstream server, then only Web Proxy chaining is supported. Note that Windows proxy chaining in MS Proxy Server 2.0 is the same thing as firewall chaining in ISA Server. Caching The MS Proxy Server 2.0 cache configuration is kept at migration time and is incorporated into the ISA Server. However, cache content will not be migrated because ISA Server’s cache engine is much more sophisticated than the MS Proxy Server 2.0 cache engine. SOCKS Migration The SOCKS protocol is designed to handle TCP traffic through a proxy server. It checks incoming and outgoing packets and hides the IP addresses of application clients. MS Proxy Server 2.0 provided support for a SOCKS application filter, as does ISA Server. However, any SOCKS rules coming from MS Proxy Server 2.0 at upgrade time are not brought into ISA Server. Authentication Rules ISA Server supports Basic, Digest, Integrated Windows, and Client Certificate authentication. MS Proxy Server 2.0’s default authentication methods were Basic and Integrated.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Upgrading from Microsoft Proxy Server 2.0 83
It’s important to understand this phenomenon because it’s very possible that you’ll get into some authentication difficulties as you migrate to ISA Server. Only Internet Explorer 5 (IE 5) clients or above understand and support Integrated Windows authentication, the default for ISA Server. Therefore, clients that are running previous versions of IE or another browser may not be able to connect, even though all of your other rules are correct. In order to allow all other web browsers access to the ISA Server, configure ISA to allow Basic authentication. Cross-Referencing MS Proxy Server 2.0 Features to ISA Server Domain filters in MS Proxy Server 2.0 translate to site and content rules in ISA Server. Winsock permission settings in Proxy Server translate to protocol rules in ISA. Publishing properties in Proxy Server translate to web publishing rules. Static packet filters in Proxy Server translate to open or blocked IP packet filters (not dynamic packet filters) in ISA. Web Proxy routing rules in Proxy Server translate to routing rules in ISA. Miscellaneous The LAT, dial-up settings, alerts, log settings, and client configurations are all migrated when you upgrade from MS Proxy Server 2.0 to ISA Server.
Should You Keep Your Exchange Server Publishing in Proxy Server 2.0? If you, like me, went through a lot of pain configuring Exchange Server 5.5 to talk to an MS Proxy Server 2.0 installation, you may be wondering if you should go through the grief of upgrading your MS Proxy Server to ISA Server. “If it ain’t broke, don’t fix it,” as they say. But ISA Server delivers so much more bang for the buck, especially in the realm of Exchange Server publishing, that it’s really worth your while to go through the upgrade pain. For example, you can get rid of the wspcfg.ini file, which, if you’ve messed around with booting Exchange Server and MS Proxy Server at all, you understand can create synchronization problems. If you boot the Exchange Server, you may have to stop and start the MS Proxy Server Winsock Proxy service in order to get things synchronized and working again.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
84
Chapter 2
■
ISA Server 2000 Installation
Also, MS Proxy Server merely maintained an open pipeline to Exchange Server’s port 25. When you configure ISA Server to handle Outlook Web Access (OWA)—and other Exchange Server functions, if you so desire—the packet filters are dynamically opened, keeping down the possibility of port attacks. On top of that, Exchange 2000 adds immense complexity to the scenario, with its front- and back-end server capabilities and the ability to host multiple stores across different protocols. It’s no longer your father’s Exchange Server—it’s big and complex and requires something with the intelligence and horsepower to manage it, and that would be ISA Server.
Troubleshooting Setup Problems
T
here are some common setup issues you may run into. In this short section, we detail those problems in order to give you some idea of places to look when things go wrong at setup time.
Troubleshoot problems that occur during setup.
Following are some common setup problems that you may run into as you go forward with your installation: ■
■
Computer acts funny (erratic, odd behavior) after ISA Server installation: This is most likely caused by the ISA Server being underpowered, i.e., it doesn’t meet the minimum system requirements, or the server computer you’re using isn’t on the Windows 2000 Hardware Compatibility List. Computer exhibits odd behavior if NAT or ICS is installed: ISA Server is supposed to work with a Windows 2000 Server that has NAT or ICS installed because it disables them at installation time; nevertheless, there have been complaints that these services have occasionally created problems. It’s best to remove the services from the server prior to installing ISA.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Troubleshooting Setup Problems 85
■
■
■
■
■
ISA Server services fail to start: This can result from an incorrectly configured local address table. The problem with this scenario is that if you can’t start the ISA Management console, you can’t fix the LAT! You’ll have to consult an article included in the ISA Server SDK titled “Constructing the Local Address Table” for more information on fixing the LAT in spite of non-functional ISA Server services. If you use an Enterprise Edition of ISA Server to create a new array by right-clicking Servers And Arrays and selecting New ➣ Array, it’s not possible to add a computer to the new array. It appears that there have been some problems with adding computers to arrays that don’t have at least one member already. Chapter 5 discusses arrays in more detail. From addresses and To addresses in the LAT are identical: While this is theoretically possible, if you try to save an address to the LAT that already exists either as a From address or a To address, you’ll be presented with an error: “The IP range already exists in the local address table (LAT).” Enterprise Edition of ISA Server is incorrectly configured with the address of the external interface of ISA Server in the LAT: This creates a problem because the ISA Server must contact Active Directory to reference its configuration information, but since the external interface’s address is in the LAT, this is not possible. The result is that the ISA Server Control Service (ISACTRL) will not start. You can fix this problem by installing the ISA Server Management console on any other Windows 2000 computer and then connecting to the array member and adjusting the LAT indirectly. ISA Server as a DHCP client can create problems for you: It’s possible that after installing ISA Server on a computer that’s configured as a DHCP client, you will not be able to use the IPCONFIG /RELEASE and IPCONFIG /RENEW commands to obtain a DHCP lease. You’ll have to reboot the computer in order to do so. The reason for this is that the DHCP client packet filter rule is not yet enabled. Enable it and you’ll be able to renew the server’s DHCP license. I guess I’d have to ask why you’re letting a server be a DHCP client, but to each his own.
We go into more detail on troubleshooting in Chapter 8.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
86
Chapter 2
■
ISA Server 2000 Installation
Summary
I
n this chapter, we talked about the installation of ISA Server and the assorted nuances associated with such a task. We mentioned that you need to validate what kind of Internet connectivity you have prior to installing ISA Server and make sure that your interfaces are correct for the given infrastructure. We discussed several configuration items such as the various ISA Server installation modes: integrated, firewall, and cache. We showed you how to construct and modify the LAT. We also talked about calculating the cache size of your ISA computer and showed how to configure it. We mentioned how to install ISA Server as a member of an array, noting that Chapter 5 goes into much more detail on ISA as an array member. If you have a legacy MS Proxy Server 2.0 installation, you can upgrade the server to ISA Server, but there are certain procedural issues you must take into consideration. You must back up the old Proxy configuration, stop the Proxy services, install Windows 2000 SP1, and then install ISA Server. Most of the old Proxy server settings will translate over to ISA Server. The web cache is not one of those items that makes the translation. Finally, we discussed troubleshooting problems that may arise during your ISA installation.
Key Terms
B
efore you take the exam, be certain you are familiar with the following terms: carrier
interfaces
Committed Information Rate (CIR)
Intermediate Data Facility (IDF)
demarc (d-mark, demarcation)
internetworking
discard eligible
Main Data Facility (MDF)
downstream server enterprise initialization
Microsoft Management Console (MMC)
external interface
upstream servers
Copyright ©2001 SYBEX, Inc., Alameda, CA
internal interface
www.sybex.com
Exam Essentials 87
Exam Essentials Be knowledgeable of the various ISA Server installation modes and when you’d use one over the other. Understand why you’d use integrated mode over cache or firewall mode and know what features are available in each mode. Know how to configure the LAT and configure and correctly size the cache. One of ISA Server’s wonderful claims to fame is its ability to increase the speed of a user’s Internet experience by locally caching URLs. You’ll run into problems if you don’t know how to correctly configure the LAT. Understand how ISA functions in an array and what’s required to make an ISA Server an array member. Arrays were a big deal with MS Proxy Server 2.0 and they’re an even bigger deal with ISA Server. Know how arrays go together, paying special attention to chaining. Know what’s involved in upgrading an MS Proxy Server 2.0 computer to an ISA Server. This is an easy thing to do, but you should understand the steps to take in order to accomplish the goal. Be able to troubleshoot ISA Server setup issues. Understanding what’s wrong and how to fix it plays an important role in any Microsoft test, as it does in real-life troubleshooting.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
88
Chapter 2
■
ISA Server 2000 Installation
Review Questions 1. You have extended the AD schema of your single-domain
Windows 2000 forest for ISA and installed a single array member. Now you’re planning on installing a second domain in the forest and alongside that a second ISA Server functioning as a second array member. You set up your second domain server just fine, but when you get ready to install your new ISA Server array member instance, you’re stopped with an error that says you don’t have permissions to access the Active Directory in order to query for ISA Server schema extension information. What could be the problem? A. The account you’re using is not a member of the Enterprise
Administrators group. B. The account you’re using is not a member of the Schema
Administrators group. C. The account you’re using is not a member of the Domain
Administrators group. D. The account you’re using is not a member of the Administrators
group. 2. You want to go forward with an upgrade of your MS Proxy Server 2.0
computer to ISA Server. You’ve backed up the Proxy Server configuration to another server and successfully upgraded the Proxy Server to Windows 2000 SP1. Now when you run the ISA Server Setup program, it halts with an error and you can go no further. Your research leads you to believe that the memory chips you’re using are not compatible with Windows 2000, and so you’ll have to purchase new equipment for your ISA Server. In the meantime, though, you have to restore the Proxy Server. How do you do this? (Choose all that apply.) A. Format the server’s hard drive and restore from tape. B. Use Add/Remove Programs to uninstall Windows 2000. C. Format the server’s hard drive, reinstall NT 4.0 and Proxy
Server, and then restore the Proxy backup. D. There is no way to do this.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 89
3. You have a single ISA Server running in stand-alone mode in your
Windows 2000 network. ISA Server has worked so well that now you want to introduce a second ISA Server as an array member to help out the first. What are the steps you need to go through to accomplish this goal? A. Install the second ISA Server hardware and Windows 2000 OS.
When running the ISA Server program, extend the schema first. Make a new array. Promote the first server to the new array. B. Install the second ISA Server hardware and Windows 2000 OS.
Run the ISA schema extension program on the first server. Install ISA Server on the second server to join the array. C. Install the second ISA Server hardware and Windows 2000 OS.
Run the ISA schema extension program on the first server. Promote the first ISA Server. Install ISA Server on the second server to join the array. D. Install the second ISA Server hardware and Windows 2000 OS.
Run the ISA schema extension program on the first server. Install ISA Server on the second server in stand-alone mode. Promote the second server to the array. 4. Your small e-business company, Dweeb.net, has up to now been
using a different firewall product. Now company managers have decided to replace it with ISA Server. You’ll need to be running some sort of firewall service while you’re in transition, as shown in the following exhibit. What items must you consider to facilitate this transition? (Choose all that apply.)
Internet
ISP
Router Backbone switch
Legacy firewall server
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
New ISA Server
90
Chapter 2
■
ISA Server 2000 Installation
A. ISA interfaces B. Servers to be published C. Rules currently in place D. Name-resolution characteristics 5. You’re the network administrator for a company of 500 employees
that’s situated on two campuses—Campus A and Campus B, as shown in the exhibit. Campus A uses 192.168.0–63 (192.168.0/18), subnet mask 255.192.0.0 for its network number, while Campus B uses 192.168.64–127, subnet mask 255.192.0.0. Campus B is connected to Campus A by fiber optic gigabit Ethernet cable. How will you construct the LAT? (Choose all that apply.)
Internet
Router: Internal - 192.168.0.1 External - 177.48.30.12
ISP
Switch 192.168.0.2 Campus B 192.168.64-127 255.192.0.0
ISA
Campus A 192.168.0-63 255.192.0.0
Layer 3 switch: Internal - 192.168.64.1 External - 192.168.127.253
Layer 3 switch: Internal - 192.168.63.254 External - 192.168.127.254
A. On the ISA Server, add a route statement to account for the
192.168.64/18 network. Allow ISA to query the internal network card for addressing information. B. Allow ISA to query the internal network card for addressing
information on the 192.168.0/18 network. In the LAT configuration screen, key in the 192.168.64/18 information for the Campus B network. C. In the LAT configuration screen, key in the information for both
the 192.168.0/18 and 192.168.64/18 networks. D. This configuration will not allow you to connect to the
192.168.64/18 network. E. There’s not enough information to make a decision.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 91
6. You’re the perimeter network administrator for a network of about
5000 users. You’re installing a new ISA Server and are currently sizing the server. How much disk space should you plan on for the URL cache for this new server? A. 2.6GB B. 3.5GB C. 4.8GB D. 5.3GB E. 6.7GB 7. You have a network that has several MS Proxy Server 2.0 computers
set up in an array. Your design calls for keeping some MS Proxy Servers where they are because they’re in NT 4.0 domains that have not yet been joined the Windows 2000 forest (although two one-way trust relationships have been set up with each one). See the exhibit below. What Proxy Server chaining cannot take place in the upstream relationship to the ISA Servers? (Choose all that apply.) Internet
NT4 Dom. B Proxy Server
NT4 Dom. A Proxy Server Windows 2000 Dom. A ISA Server Windows 2000 Dom. A ISA Server
A. SOCKS chaining B. Windows chaining C. Firewall chaining D. Web Proxy chaining
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
92
Chapter 2
■
ISA Server 2000 Installation
8. You’ve set up a brand new ISA Server that will be used by both
internal and external clients. You’ve established a very basic set of test rules that allow internal clients to access websites using HTTP. Now you’re testing the external connection with a laptop that’s dialed into a different ISP than the ISA Server is connected to. You cannot access the ISA Server, nor can you ping it by hostname or IP address. What could be the problem? (Choose all that apply.) A. You’ve not yet created an A record in your ISP’s DNS server for
this new ISA Server. B. You’re not doing any publishing. C. The external interface is not configured correctly. D. The LAT has the external interface included in its list of
addresses. 9. You’re the administrator of a Windows 2000 network. You’re
installing your first ISA Server in what will be an array of three servers. Unfortunately, after installing the software, the ISA Control service will not start. What could be the problem? A. You’ve not yet extended the AD schema. B. The server has encountered a hardware problem on a non-HCL-
compliant component. C. The service account for the service is not a member of the
Domain Administrators group. D. You keyed the external address of the server into the LAT. 10. You have a Windows 2000 forest (see exhibit) upon which you’d
like to set up an array. What are the steps that you’ll go through to accomplish this goal?
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 93
Internet
DOMA
SUBA.DOMA
SUBB.DOMA
A. Install the first server in DOMA. Extend the AD schema for
ISA. Install ISA Server. B. Install the first server in DOMB. Extend the AD schema for
ISA. Install ISA Server. Install ISA Server on servers in SUBA.DOMA and SUBB.DOMA. C. Install the first server in DOMA. Extend the AD schema for
ISA. Install ISA Server. Install ISA Server on servers in SUBA.DOMA and SUBB.DOMA. D. Install the first server in DOMA. Install ISA Server on servers in
SUBA.DOMA and SUBB.DOMA. 11. You have an ISA Server array that consists of three array members
in geographically different locations. You’ve set up the array so that enterprise rules are allowed, as well as array member rules. Bob, one of your ISA admins in another location, says that he needs to add a site and content rule that allows a marketing person in his office to access certain websites, but he doesn’t seem to be able to create the rule. What could be the problem? A. Array rules can only consist of Deny, not Allow, rules. B. Bob does not have the necessary permissions to add a site and
content rule. C. Only enterprise rules can contain site and content rules. D. The array member is incorrectly configured.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
94
Chapter 2
■
ISA Server 2000 Installation
12. You’ve just finished an ISA Server installation. None of the ISA
services will start. What could be the problem? A. No connection to Internet B. Incorrectly configured DAT C. Incorrectly configured LAT D. Insufficient service account permissions 13. You’re the administrator of SUBA.DOMA (see exhibit), a large
domain within a large company. The internetworking experts handle the firewall at the perimeter network, but you’d like to install an ISA Server on your network in order to manage the Internet usage of your internal clients as well as provide some third-party webfiltering software to keep users out of sites that have not been approved by your managers. How will you configure the external interface of your ISA Server? (Choose all that apply.) Internet
10.1.50 DOMA
10.1.60 SUBA.DOMA
Router: External - 116.63.42.113 Internal - 10.1.50.1
10.1.70 SUBB.DOMA
A. The external interface will point to the external interface of the
router as its default gateway. B. The external interface will point to the internal interface of the
router as its default gateway. C. The external interface will use a 10.1.50 IP address. D. The external interface will use a 10.1.60 IP address.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 95
14. You have a network of about 500 users. What size should your ISA
Server cache be? A. 150MB B. 250MB C. 350MB D. 450MB 15. You are the administrator of an MS Proxy Server 2.0 computer that
has been successfully operational for over a year. You now want to migrate to ISA Server Standard Edition to take advantage of its increased functionality. What are the steps that you’ll take to accomplish this upgrade? A. Back up the Proxy Server configuration. Remove all array
members. Stop Proxy Server services wspsrv, mspadmin, mailalrt, and w3svc. Upgrade the computer to Windows 2000 SP1. Install and configure ISA Server. B. Back up the Proxy Server configuration. Remove all array
members. Stop Proxy Server services wspsrv, mspadmin, and mailalrt. Upgrade the computer to Windows 2000 SP1. Extend the AD schema. Install and configure ISA Server. C. Back up the Proxy Server configuration. Remove all array
members. Stop Proxy Server services wspsrv, mspadmin, mailalrt, and w3svc. Upgrade the computer to Windows 2000. Install and configure ISA Server. D. Back up the Proxy Server configuration. Remove all array mem-
bers. Upgrade the computer to Windows 2000 SP1. Extend the AD schema. Install and configure ISA Server.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
96
Chapter 2
■
ISA Server 2000 Installation
16. You are designing a new ISA Server deployment that looks like the
following graphic. What will be the most likely installation modes that you will you use for each ISA Server?
Internet
Internal network
DMZ ISA Server A
ISA Server B
A. Integrated mode for both server A and server B B. Cache mode for server A and integrated mode for server B C. Firewall mode for both server A and server B D. Firewall mode for server A and cache mode for server B E. Firewall mode for server A and integrated mode for server B 17. You’re planning out a three-campus ISA Server deployment (see
exhibit). After a planning session with other technicians, you’ve mapped out the following requirements: ■
■
■
■
Campus B and Campus C must cache URLs. Campus A is also responsible for perimeter security in addition to URL caching, intrusion detection, Outlook Web Access (OWA) publishing, and web filtering using a third-party filtering product. For redundancy’s sake, two different ISPs will be provisioned, each with an incoming T1 circuit. Keep deployment costs down.
Your site is running Windows 2000 Active Directory throughout and all campuses are separate domains in a single forest. You maintain a DMZ that houses several e-commerce servers. Looking at the installation sequences below, pick the installation process that meets the above requirements.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 97
ISP A T1
Internet
ISP B T1
DMZ
Web server Web server Web server
Campus A
Campus B
Campus C
A. Configure a triple-homed computer to sit at the edge of the
network. Install ISA Server in firewall mode on this computer. Two of the interfaces will be external, each with different IP addresses. One will point to the DMZ. Install a second ISA Server in integrated mode on the internal network of Campus A. Install caching-only servers in Campus B and Campus C. B. Configure two ISA Server computers, each dual-homed to sit at
the edge of the network. Install ISA Server in firewall mode on both computers. One of the interfaces will be external. The other will point to the DMZ. Install a second ISA Server in integrated mode on the internal network of Campus A. Install caching-only servers in Campus B and Campus C. C. Configure a triple-homed computer to sit at the edge of the
network. Install ISA Server in firewall mode on this computer. Two of the interfaces will be external, each with different IP addresses. One will point to the DMZ. Install a second ISA Server in caching mode on the internal network of Campus A. Install caching-only servers in Campus B and Campus C. Server publishing won’t work with UDP.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
98
Chapter 2
■
ISA Server 2000 Installation
D. Configure two ISA Server computers, each dual-homed to sit at
the edge of the network. Install ISA Server in firewall mode on both computers. One of the interfaces will be external. The other will point to the DMZ. Install a second ISA Server in caching mode on the internal network of Campus A. Install caching-only servers in Campus B and Campus C. E. Configure two ISA Server computers, each triple-homed to sit at
the edge of the network. Install ISA Server in firewall mode on both computers. Two of the interfaces on each computer will be external, one with an IP address pointing to ISP A, the other pointing to ISP B. The other interface on each computer will point to the DMZ. Set up round-robin DNS records on each ISP DNS server for the two servers’ external interfaces. Install a second ISA Server in integrated mode on the internal network of Campus A. Install caching-only servers in Campus B and Campus C. 18. You are the administrator of a single-campus network that sits
behind a perimeter network managed by a separate group. The perimeter group handles the router that connects the company to the Internet, as well as a hardware-based firewall (see exhibit). The firewall connects to a backbone switch that servers can connect to. There is no DMZ. DNS services are performed by the ISP and managed through the perimeter team. You are designing a new ISA Server deployment. Your operational goals for this computer are as follows: ■
Allow for web publishing.
■
Allow for Outlook Web Access publishing.
■
Provide web filtering.
■
Manage the list of users allowed out onto the Internet.
Your site is running Windows 2000 Active Directory in a single forest. Looking at the installation sequence below, pick the installation process that meets the above requirements.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 99
ISP
Router
Hardware firewall
Backbone switch
Campus A Web server
Exchange server (OWA)
A. Install a triple-homed ISA Server in integrated mode. Have the
perimeter group add the new server’s IP address and name to the ISP’s DNS server. Purchase third-party web-filtering software and install it. Set up two publishing rules, one for web publishing and one for OWA. Create site and content rules. B. Install a dual-homed ISA Server in integrated mode. Have the
perimeter group add the new server’s IP address and name to the ISP’s DNS server. Purchase third-party web-filtering software and install it. Set up two publishing rules, one for web publishing and one for OWA. Create site and content rules. C. Install a triple-homed ISA Server in cache mode. Have the
perimeter group add the new server’s IP address and name to the ISP’s DNS server. Purchase third-party web-filtering software and install it. Set up two publishing rules, one for web publishing and one for OWA. Create site and content rules. D. Install a dual-homed ISA Server in cache mode. Have the perime-
ter group add the new server’s IP address and name to the ISP’s DNS server. Purchase third-party web-filtering software and install it. Set up two publishing rules, one for web publishing and one for OWA. Create site and content rules.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
100
Chapter 2
■
ISA Server 2000 Installation
19. You have purchased a copy of ISA Server Enterprise Edition. You’re
attempting to install the software as an array, but the option to Run The Enterprise Initialization is grayed out. What could be the problem? A. The computer you’re installing on isn’t on the Windows 2000 HCL. B. You’re installing on a Windows 2000 network that is not
running Active Directory. C. You’re installing on a Windows 2000 member server. D. You’re installing on a non-SP1 Windows 2000 computer. 20. What items will not be maintained as you upgrade from MS Proxy
Server 2.0 to ISA Server? A. Packet filtering rules B. Cache configuration C. Cache content D. Network settings
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 101
Answers to Review Questions 1. C. The account you’re using must be a member of the Domain
Administrators group. Your array membership efforts won’t be extending the schema but, understandably, the account you’re using needs to query the schema to make sure it has been upgraded. 2. A, C. There are two methods that will work for you. If you have a
good, recent, full tape backup, you can format the drive and then perform a restoration. Otherwise, you’ll need to format the drive, partition it exactly the way it was partitioned prior to the upgrade, reinstall NT 4.0 with the service pack level you were at before the upgrade, reinstall Proxy Server, and then restore the Proxy configuration from disk. If you’d left the configuration on the Proxy Server’s disk, you’d be stuck with trying to get a tape backup to work. Trying to overwrite Windows 2000 Server files with old NT 4.0 files from tape or CD would, I predict, result in disastrous consequences—hence the recommendation to format and start over. 3. C. We’re assuming in this question that your first server will continue
to be the primary ISA Server. You can bring up your second ISA Server’s hardware and install Windows 2000 on it. Then, using the first server, run msisaent.exe to extend the AD schema for ISA (or optionally extend it from the ISA Server Enterprise CD). Next, promote the first ISA Server to the array (and configure appropriate enterprise policies). Finally, install ISA Server on the second box and make it a member of the array as well. 4. A, C, D. In such a transition as this, you must make sure that the
new ISA Server has the same kind of ability to get out onto the external network as the existing firewall server. A key element in this design will be the external interface. Also, you will probably want to at least duplicate the current rule set in your new ISA box and then perhaps augment it as needed after deployment. Finally, you need to work out the name-resolution issues. Your new ISA Server probably won’t have the same name as the old firewall server (unless you’re doing some sort of quick out-with-the-old-in-with-the-new installation), so you’ll need to make sure that outside hosts can reference your new server by name. Typically this happens at your
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
102
Chapter 2
■
ISA Server 2000 Installation
ISP’s level—a quick phone call to the administrators who maintain the name servers will facilitate getting the new record into their DNS boxes. If you host your own external interface, then it’s up to you to make sure the new record is entered correctly. Most issues that external clients will encounter when communicating with you will revolve around inability to resolve your server’s name. 5. B, C. The two disparate networks cannot talk to one another without
benefit of a router, given their subnet mask. The switches are layer 3, which means they’re capable of acting as a switch and a router. In lieu of this connection, we’d need either a Windows 2000 RIP router or a small campus router at each end. Because routing is taking place, we can allow ISA to query the internal interface of the ISA Server, and we can key in the Campus B network number to complete the LAT. You could also key in the appropriate information, but it’d be easier to simply let ISA query the interface. 6. A. Microsoft recommends 100MB for the first 100 users and 0.5MB
for every 2000 users thereafter. Therefore, you’re looking at 2.6GB of cache alone, not including the space needed for the log files. 7. A, C. When the MS Proxy Server is upstream to ISA Servers, only
Web Proxy chaining (known as Windows chaining in Proxy Server) is allowed. If the ISA Server is upstream to the Proxy Server, both Web Proxy and firewall chaining are allowed. There’s no such thing as SOCKS chaining. 8. A, B. The first and most obvious problem is that you’ve probably
not yet updated your ISP’s DNS server with the address and name of the new ISA Server. The only way you’d get away with not having to do some DNS work would be to completely remove the old firewall server and put up the new ISA Server in its place using the same name and IP address as the old. Second, you’re not doing any publishing, so there’s nothing to hit anyway. In this situation, you have rules set up for internal access to Internet websites, but you haven’t done anything about external users accessing the ISA Server. Nothing happens without you first configuring a rule for it. And it’s a great thing that you’re not able to ping the ISA Server. It proves that the default IP packet filters designed to prevent the Ping of Death attacks are working.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 103
9. D. If you’re working with an array (hence extending the schema and
ruling out answer A), remember that ISA configuration information is obtained from AD. Since the external interface’s address was included in the LAT, ISA Server is unable to query the AD for configuration information and the service fails to start. 10. C. Left out of this answer is the fact that you also join the array
initially created in DOMA and that you configure the enterprise policies (or lack thereof) while configuring DOMA’s ISA Server. 11. A. Since you’ve allowed array rules, meaning that the administrators
in the remote sites can create rules over and above the default enterprise rules offering, Bob can create only Deny rules, not Allow. If it were possible to create Allow rules, local admins could override the enterprise rules and positively wreak havoc. 12. C. The minor mistake of keying in erroneous entries in the LAT
could really hose your ISA deployment—so much so that the ISA Server services may not start. It gets worse. In order to fix this problem, you have to modify the COM objects for ISA Server using a special technique outlined in an ISA Server Software Development Kit (SDK) document. Pay very careful attention as you configure the LAT. 13. B, D. The ISA Server’s external interface will continue to use a
10.1.60 IP address and will point to 10.1.60.1 as its default gateway. 14. C. The Microsoft recommendation is 100MB to start with plus
0.5MB for each user thereafter for your cache. 15. A. You’re installing the Standard Edition of ISA Server, so you can’t
extend the AD schema, even if you wanted to. Answer C details the few steps necessary to accomplish this task. Any members of an MS Proxy Server 2.0 array should be removed. They will retain their configurations even though they’re no longer functioning in an array.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
104
Chapter 2
■
ISA Server 2000 Installation
16. E. Firewall mode is used for servers that directly face the Internet as
the first line of defense. Such is the case with server A. While you could make a case for making server B a firewall server as well, you can’t do any caching with a firewall-only server, so it makes sense to put a caching server in where server B would sit. 17. E. I like answer E the best because it reduces cost but allows you to
do all the things you need to get done within the design requirements stipulated here. See the exhibit below. If you’d opted for design A, you would’ve been left with a single point of failure on the ISA Server computer itself. This design also facilitates a modicum of load balancing.
ISP A T1
Internet
ISP A T1
DMZ
ISA Server A
Web server Web server Web server
ISA Server A
ISA Server A ISA Server A
ISA Server A Campus A
Campus B
Campus C
18. B. Set up the ISA Server in integrated mode. Cache mode won’t
support everything you need to do. Dual-homed is fine because you can use two different IP addresses on the same NIC for your webpublishing duties. The perimeter group will need to have the DNS server updated with the address of your new computer. Install a third-party web-filtering software package that works with ISA and configure it. Set up your web and OWA publishing rules. Create your site and content rules for the groups you’ll allow out and the ones you want to keep in. Packet filtering and intrusion detection are done at the hardware firewall.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 105
19. B. In order to set up ISA in an array, you must run the enterprise
initialization first, but in order to do that you must be running Active Directory. Otherwise, the installation is done in standalone mode. 20. C. Because ISA Server’s cache is much different than Proxy Server’s,
the cache content is dumped although the cache configuration is retained.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
Basic ISA Configuration
3
MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ✓ Configure and troubleshoot outbound Internet access. ✓ Configure ISA Server hosting roles. ■
Configure ISA Server for Web publishing.
■
Configure ISA Server for server proxy.
■
Configure ISA Server for server publishing.
✓ Configure H.323 Gatekeeper for audio and video conferencing. ■
Configure gatekeeper rules. Rules include telephone, e-mail, and Internet Protocol (IP).
■
Configure gatekeeper destinations by using the Add Destination Wizard.
✓ Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
T
his chapter is about how you actually go about configuring ISA Server. When you first install ISA, you get a basic configuration setup that’s probably not right for what you’d like to accomplish (essentially nothing is configured or ready to go—your ISA Server at installation time is a boat anchor). So you’ll have to go about the business of configuring ISA for your needs. There are, of course, three different installation modes: cache, firewall, and integrated (a cross between cache and firewall). But, apart from URL caching, what do you expect to get out of an ISA Server? In this chapter, we’ll talk about three server roles: web publishing, server proxy, and server publishing. We’ll also talk about a tertiary role that you’ll probably sooner or later be interested in, especially if you have an Exchange 2000 deployment looming on the horizon: H.323 Gatekeeper for audio and video conferencing.
Configuring and Troubleshooting Outbound Internet Access
Undoubtedly, the very first issue you’ll want to contend with is getting your internal clients connected to the Internet. You’ll probably be using your first ISA Server as a replacement (or intended replacement) for an MS Proxy Server 2.0 or other firewall product, and so it will be important for you to get an early “win” with the new server—to prove that it works. On top of that, the majority of the questions on the ISA test will revolve around users’ inability to access the Internet. So it’s important that we get this issue solved posthaste.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring and Troubleshooting Outbound Internet Access 109
Configure and troubleshoot outbound Internet access.
There are two approaches to configuring your ISA Server for Internet access. The first is to leave the server with a tightly closed door and add rules as you see fit until you get to a point where you think you’re catching all possible outgoing and incoming traffic but you’re excluding traffic that shouldn’t be allowed. This can get tricky because you’re not exactly sure what it is that users might need or want out of an Internet experience. Therefore, you’ll be in discovery mode until you nail down your site with a modicum of user satisfaction. Note that user satisfaction may or may not include things like Internet radio—it’s up to you and management to work out an acceptable Internet use policy and not the subject of this book. This rigorous approach to setting up your ISA Server will take more time, but it will lead to a closely scrutinized firewall that can ensure that you know exactly what’s coming in and going out the door.
Keep in mind that users using the SecureNAT client will not be able to access the ISA Server if they have to cross a router to get to the server and the router has not been equipped with a forwarding address that points to the server. In cases where you have two subnets separated by a router, with an ISA Server in one subnet, you’ll have to either install the Firewall client on the client computers in the non-ISA subnet or configure a forwarding rule on the router to point these users to the ISA Server. You’ll see many test questions requiring your understanding of this basic, yet elusive topic.
On the other hand, what I’d probably recommend in most situations is an open-door methodology for your first ISA Server. What I mean by that is that you’ll start with a pretty wide open door and then shut it gradually. It’s almost easier to open up all access and then tweak it back until you get to where you want to go rather than the opposite tack described above, where you start with nothing and work your way out to something. Each of these approaches is diagrammed in Figure 3.1.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
110
Chapter 3
■
Basic ISA Configuration
By default ISA Server is completely locked down, so you’ll have to go through one of the following approaches to unlock it.
FIGURE 3.1
Two different approaches to configuring ISA Server for Internet traffic
ISA Server closed
ISA Server open
Add rules to meet needs.
Take away rules to meet needs.
Let’s talk about both solutions, just so you have a feel for what can go on in either case. We’ll start with the closed-door method.
Closed Door With this method, you begin with your native ISA Server installation. For purposes of our discussion here, we’ll talk about the first ISA Server in the array. Note that if you build an array member and join a pre-configured ISA array, depending on how you configured the first server in the array, you might inherit the enterprise policies that were created then. But in this case, we’re talking about either a stand-alone server or the first one in the array. Since we’re really going to knuckle down on this server and close the door as much as possible, we’ll start by creating client sets that reflect the groups of users you’re going to allow out onto the Internet. We’ll assume that you’ve already set up the ISA Server so that there’s no way to bypass it if someone were to learn a different default gateway. What I mean by this is that if users were to learn the default gateway of the router going to your ISP and be smart enough to point to it instead of your ISA Server, they’d effectively bypass any ISA Server security altogether—and we wouldn’t want that—you must close that door prior to ISA Server installation. You do that either through installation of the Firewall client on all client computers or by working with the internetworking (router) team to prevent people from being able to access the gateway router.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring and Troubleshooting Outbound Internet Access 111
Once you’ve created the client sets, you then create site and content rules that allow your users onto the Internet. With these rules, you’re setting up what sites users can visit, what times of the day they can go there, and who can go there. You would not want to think of a site and content rule as a poor man’s web-filtering component, where you’re keeping people away from undesirable sites. That component is reserved for third-party web-filtering software that you buy to snap into your ISA Server. Users cannot yet access the Internet because you need to establish a set of protocol rules that stipulates to ISA Server what protocols are allowed for both outbound and inbound access. You’ll probably want to start with a de facto set of rules, such as allowing HTTP, HTTPS, and FTP out and no access in. At this stage of the game, provided you’ve configured the server’s NICs correctly and verified that you have an external and internal connection and that your Local Address Table (LAT) is correctly configured, your users should be able to access the Internet. At this point, you can begin waiting for the phone to ring in order to find out what other unique Internet scenarios people might desire and whether to enable them or not (some scenarios might not be something corporate policy allows).
Open Door The opposite scenario also requires a well-installed ISA Server with NICs that are correctly set up and a LAT that accurately reflects your network’s users. This time, we make life easy and then work toward more security as time goes on. Start by creating an IP packet filter rule that opens up all incoming packets from all remote computers. (Remember that we’re going to tighten down the security, so for now the barn door goes wide open and it’s a two-way door.) Next, create a site and content rule that allows all users access to all sites at all times for all content. There’ll be no funkiness with destination or client sets—we’re allowing everyone full-on access. (We need to reiterate here that without web-filtering software in place, “full-on access” means undesirable sites as well.) Now create a protocol rule that allows all protocols any time from any source. We’ll use Exercises 3.1 through 3.3 to show you how to accomplish the open-door method of verifying that ISA Server is working.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
112
Chapter 3
■
Basic ISA Configuration
EXERCISE 3.1
Setting Up an Open-Door ISA Server IP Packet Filter The methodologies will be slightly different here depending on if you’re working with the first member of an array or with a stand-alone server. If working with an array member, you’ll use the nodes found in the Enterprise section of the ISA Management console. This exercise assumes that you’re working with a stand-alone installation.
1. In the ISA Management console, click the View menu and then verify that the Taskpad option is checked. We’ll use taskpad view for this exercise.
2. Next, navigate to Access Policy ➣ IP Packet Filters. Click Create A Packet Filter. The New IP Packet Filter Wizard starts up.
3. Key in a meaningful name for this packet filter—perhaps All Packets Allowed. Click Next.
4. The Filter Mode window appears and is defaulted to Allow Packet Transmission. We’ll go with this option. Click Next.
5. The Filter Type window appears next, as shown below. In this case, we don’t want to set up a predefined packet filter but create a custom filter. Select the Custom radio button and click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring and Troubleshooting Outbound Internet Access 113
EXERCISE 3.1 (continued)
6. The Filter Settings window appears. The purpose of this window is to give you an opportunity to select an IP protocol, port, and direction of flow that you want to allow or block. The window is defaulted to IP Protocol of type Any, Direction of Both, as shown below. We’ll live with that. Click Next.
7. The Local Computer window appears. Here we’re asked to select the IP addresses to which this particular IP packet filter will be applied. Again, we’ll live with the default of Default IP Addresses For Each External Interface On The ISA Server Computer. Click Next.
8. Now we see a Remote Computers window in which we select the remote computers to which this IP packet filter will be applied. (Recall that the chief use of IP packet filters is to block a packet of a given IP protocol type on a given port. This window provides enhanced granularity because you can also say, “Oh, not only do I want this IP packet filter in effect, but watch for packets like this only when they come from certain computers on the Internet.” Pretty clever, eh?) Again, the default of All Remote Computers is fine. Click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
114
Chapter 3
■
Basic ISA Configuration
EXERCISE 3.1 (continued)
9. Click Finish to wrap up your generic IP packet filter configuration. Note that there are seven IP packet filters that came pre-configured with the ISA Server. You’re adding this new IP packet filter to this list; furthermore, it takes its place as first in the list.
Next we’ll create a fully open site and content rule in Exercise 3.2. EXERCISE 3.2
Setting Up an Open-Door ISA Server Site and Content Rule 1. In the ISA Management console, navigate to Access Policy ➣ Site And Content Rules. Click Create A Site And Content Rule. The New Site And Content Rule Wizard starts up.
2. Key in a meaningful name for this rule—perhaps All Sites. Click Next. 3. The Rule Action window appears and is defaulted to Deny Client Requests For Access. We want to allow all access, so click the Allow radio button instead. Click Next.
4. The Destination Sets window appears. The purpose of this window is to set up the sites that you’re applying this particular rule to. Since we’re interested in allowing anyone to go anywhere, we’ll go with the default of All Destinations. Click Next.
5. Next the Schedule window appears. The purpose of this window is to allow you to determine the schedule that this rule will adhere to. Unless you configure a new schedule, the default choices are Always, Weekends, or Work Hours. We’ll stick with the default of Always. Click Next.
6. The Client Type window appears. Here you’re asked to select the clients to which this rule will be applied. Again, we’ll live with the default of Any Request, thus allowing the rule to apply to all users. Click Next.
7. And that’s it—you’ve finished with the site and content rule. Click Finish.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring and Troubleshooting Outbound Internet Access 115
Finally, we need to create a generic protocol rule that allows all protocols. Exercise 3.3 shows how. EXERCISE 3.3
Setting Up an Open-Door ISA Server Protocol Rule 1. In the ISA Management console, navigate to Access Policy ➣ Protocol Rules. In the Details pane, click Create A Protocol Rule For Internet Access. The New Protocol Rule Wizard starts up.
2. Key in a meaningful name for this rule—perhaps All Protocols. Click Next.
3. The Protocols window appears. This is a very interesting window because it presents the basic suite of Internet access protocols that your users might be interested in, as shown below. It differs from the more generic Create A Protocol Rule selection because all IP protocols are presented in the latter selection. In this instance, the only protocol that probably doesn’t need to be there is Gopher (Why do they insist on working with an outdated protocol such as this?), so you can deselect it if you want. Then click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
116
Chapter 3
■
Basic ISA Configuration
EXERCISE 3.3 (continued)
4. The Schedule window appears. The schedule is exactly the same as that used for IP packet filters. We’ll get along with the default of Always. Click Next.
5. The Client Type window appears next. We’ll go with the default of allowing this rule to apply to requests from anyone, so we’ll leave the Any Request radio button selected. Note that you could instead opt to include only certain computers (based on client address sets) or specific users and groups taken from the Active Directory Users And Computers section. Click Next.
6. Click Finish to conclude setting up your wide-open protocol rule.
Once you’ve opened the barn door, you should test it out a bit with some computers that are outside the private network and on the Internet, as well as getting some users to test Internet access through the ISA Server. Things should work just peachy and users shouldn’t have any trouble accessing any website they desire. The final stage of this process is to tweak the settings down to the point where you’re comfortable that you have a secure setup. For example, you may not care for the FTP Download part of the protocol rule, so you’ll go back through and edit it to delete that component. You might not like allowing users to access the Internet during the weekends, so you might go back in and edit the schedule (noting that the default Work Hours schedule is set for 9 A.M.–5 P.M.—adjust it before setting the schedule differently than Always). You might also want to follow up with a third-party add-on web-filtering component so that you keep users from unapproved sites. I would expect that a third-party add-on component such as this should be part and parcel of your estimate for what the ISA Server deployment will cost (and plan on it increasing the budget fairly heavily). But by and large, you’ll probably mostly be interested setting up packet filters that keep untoward packets from entering your network. (Chapter 1, “Introduction to ISA Server,” talked a bit about the dishonest use of packets such as this and the ways that hacks can get into systems.) Here’s the deal: Use Netstat (discussed in Chapter 8, “Troubleshooting ISA Server”)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring and Troubleshooting Outbound Internet Access 117
and third-party port monitors to watch your ISA Server to see just exactly what ports are hit by outside users while you have the rule open. Then get to the bottom of it—why did those packets hit your ISA Server? If there’s a good reason that you can determine, they can stay. If not—out with them! You’ll set up a packet filter that disallows their entry in the future. You have to turn yourself into the Poirot of the IP packet filter community, for it is here and in the intrusion-detection features of ISA Server that you guard your network from outside intruders.
Internet Policy Conundrums Your company has an Internet policy that specifically restricts people from doing any form of shopping on the Internet as well as selling things through Internet auctions. The theory is that employees waste too much time utilizing these features (whether you disagree with it or not—yours is not to question why but to disallow according to policy). Well, let’s think about this. On a native ISA Server box, how would you disallow Internet shopping without knowing what sites users are hitting? You could, for example, set up site and content rules that restrict users from common shopping sites, but there are so many e-commerce sites out there that it’s ridiculous to think of such a thing. Then too, what about the occasional time when someone might need to use an e-commerce site to purchase something for company use—something that she’ll get reimbursed for later? Hmmm…. What about that? You could block eBay pretty easily—or could you? Does eBay use one IP address and a resolvable name? Or could you get to eBay through a workaround such as going through www.yahoo.com and then getting an indirect hit into eBay? If you simply block all outgoing HTTPS requests, you rule out none-commerce sites that users might legitimately need to connect to in the course of their business.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
118
Chapter 3
■
Basic ISA Configuration
You’re hosed. This is where third-party web-filtering software comes into place. With this kind of software, you can restrict e-commerce sites without restricting HTTPS. Moreover, there may be some argument for convincing management to simply get rid of the policy.
Configuring ISA Server Hosting Roles
I
n this section, we begin to talk about the various hosting roles for which ISA Server can be configured. We’ll look at a biggie—web publishing—first. The burning question that we hope web publishing will answer is this: “Can I get rid of my DMZ?” Next, we’ll talk about using ISA for a standard server proxy—setting up the things that go along with being a proxy server. Finally, we’ll talk about using ISA for server publishing.
Configure ISA Server hosting roles. ■
Configure ISA Server for Web publishing.
■
Configure ISA Server for server proxy.
■
Configure ISA Server for server publishing.
Configuring ISA Server for Web Publishing Publishing, the notion that you have internal web servers that publish their content through ISA Server, is a fantastic idea. But you can probably already hear the security gurus saying, “Oh, no you don’t! Not on my network!” But what if you could prove to them that ISA Server is an effective tool to use for reverse hosting, thus saving you the trouble of maintaining a DMZ? This is the mission of web publishing.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 119
Let’s start with a few very cool facts about web publishing. Suppose that you have different web servers on the internal network that you want to publish. Is this possible through a single ISA Server? Yes, indeed it is. The ISA Server Web Publishing Wizard allows you to set up redirection. The idea is that you publish each website on a different port. ISA Server manages the port locations and redirects users requesting a specific website to the appropriate port. Thus, the ISA Server can handle multiple internal web servers (or multiple websites hosted off a single web server) using this redirection technique. But the whole thing gets even cooler because you can also set up protocol redirection. Suppose that you want to publish an FTP site that downloads a specific file or files for some purpose. You can set it up so that users point to a given website address and are redirected to the FTP port, where they then grab the file from your internal FTP box, thus hiding and securing the fact that you’re allowing the user to use FTP. All told, there are three protocols that are supported through web publishing: HTTP, HTTPS, and FTP. In addition, you can set up rules that allow only specific groups of computers, based upon either IP address or user and group access to the web servers. In any case, even if you’re allowing the entire outside world to access your web server(s), all requests for other hosts on the internal network are immediately dropped.
Please try to remember that web publishing is hosted by the Web Proxy service, which is different than server publishing. Server publishing uses the Firewall service.
Preparatory Work There’s some preparatory work that you must do before you begin your web publishing efforts. The steps are simple, but you must remember them or your efforts will fail. You begin with making sure that the proper DNS entries are created. Remember that we said most external problems will probably arise
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
120
Chapter 3
■
Basic ISA Configuration
(barring the fact that the server is operational) from a name-resolution issue. If external users cannot resolve the hostname, they cannot access the site. The good news is that you can publish many different names for the same site. For example, you might have three separate entries such as music.mysite.com, news.mysite.com, and weather.mysite.com, all pointing to the same external address and to a specific port of your ISA Server. This is all done through the appropriately named Incoming Web Requests Listener. Whether you utilize your ISP for DNS name-resolution services or you provide the external DNS services yourself, it’s key that you create at least one Address (A) record, or Host record, in the external DNS box for the first name in the list. As with our above example, the initial A record would be a pointer from the name music.mysite.com to its IP address (the address of the external NIC of the ISA Server). Then you’d create either a second and third A record for the other two site names or an alias record, called a CNAME record. CNAME records are a bit easier to manage in the DNS scheme of things, so you may want to opt for them as opposed to additional A records.
You can publish DNS servers to external clients using ISA Server publishing. When utilizing such a methodology, do not include both external and internal zones on a single DNS box and then publish it. This would result in people being able to access the internal addresses of your network—a very uncool thing.
Destination sets come into play when you begin working with domain names pointing to internal servers. It’s important to remember that when you set up destination sets for web publishing, you need to think in terms of an external client coming into the private network, not vice versa, which (for me, at least) is the natural way to think of destination sets. Let’s use Exercise 3.4 to experiment with setting up a destination set that includes the domain names listed above (or if you have real-life domain names, you can certainly substitute them).
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 121
EXERCISE 3.4
Setting Up a Destination Set for Web Publishing 1. In the ISA Management console, navigate down to the Policy Elements node and highlight Destination Sets.
2. Right-click Destination Sets and select New ➣ Set. The New Destination Set window appears.
3. In the Name text box, key in mysite.com. 4. In the Description text box, key in each of the domain names this site will be known by, as shown below.
5. Next, click the Add button to reveal the Add/Edit Destination dialog box.
6. In the Destination text box, type in the Fully Qualified Domain Name (FQDN) of the site, as shown below.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
122
Chapter 3
■
Basic ISA Configuration
EXERCISE 3.4 (continued)
7. Click OK to return to the New Destination Set dialog box. 8. Click OK to return to the Destination Sets node. The new destination set should appear in the Details pane of the Destination Sets node.
If you had multiple internal websites you wanted to host, you’d have to configure the Incoming Web Requests Listener to listen on various ports. Remember that the listener can be on any port you choose, as long as the chosen port isn’t being used by any other protocol. By default, the listener listens on port 80. If you were to simply go in and change that port to something less conspicuous, say port 1250, your external clients would have to key in the port along with the URL to access the site, like so: http://www.mysite.com:1250. This isn’t a good situation to get into. Instead of configuring the Incoming Web Requests Listener to listen on the same port for all IP addresses, you configure it to listen on different ports for different addresses. We’ll use Exercise 3.5 to configure the listener for a specific port and IP address.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 123
EXERCISE 3.5
Configuring the Incoming Web Requests Listener to Listen on a Specific Port 1. In the ISA Management console, navigate down to your server name (for a stand-alone installation) or to the array name (for an array).
2. Right-click the server or array name and then click Properties. The Properties window appears.
3. Click the Incoming Web Requests tab, as shown below.
4. Note that our choices are to Use The Same Listener Configuration For All IP Addresses (bad juju) or to Configure Listeners Individually Per IP Address (great idea if you’re hosting multiple internal websites with different IP addresses). As a matter of fact, you might want to consider configuring individual listeners even if you’re hosting multiple sites at a single IP address (a la IIS 5.0 virtual webs) because it makes it easier to track who’s accessing what.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
124
Chapter 3
■
Basic ISA Configuration
EXERCISE 3.5 (continued)
5. Click the Add button to open the Add/Edit Listeners dialog box, shown below.
6. In the Server drop-down list, select the server that this listener will be tied to. (Note that in a stand-alone installation, there will be only one server in the list. In an array, multiple servers will show up.)
7. In the IP Address list box, select the IP address you want to assign to the listener.
8. In the Display Name text box, key in a meaningful name for this listener. This information shows up in the Incoming Web Requests page.
9. Select Use A Server Certificate To Authenticate To Web Clients if you intend to issue a certificate to external web clients. Note that you issue a single certificate to all clients, regardless of the number of websites on different listeners.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 125
EXERCISE 3.5 (continued)
10. In the Authentication section, choose Basic, Digest, Integrated, or Client Certificate, noting that the default is Integrated. Basic authentication is good for pre–IE 4 clients. Digest can be used only by Windows 2000 clients. Integrated uses either Kerberos or Windows NT Challenge/Response. Client Certificate requires that the external client have some sort of certificate in place and ready to go, which implies that the client is utilizing the Public Key Infrastructure (PKI).
11. Click OK to return to the Properties sheet. In the TCP Port field, change the port from 80 to a vacant port you want to use (in our case, 1250), shown below. Note that if you were hosting a Secure Sockets Layer (SSL) site, you’d select the Enable SSL Listeners check box.
12. Click the Configure button to reveal the Connection Settings screen, shown below. Note that you can set a maximum number of allowed connections or unlimited connections. Click Cancel.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
126
Chapter 3
■
Basic ISA Configuration
EXERCISE 3.5 (continued)
13. Click OK to update the server properties. 14. You’re presented with a warning asking if you want to manually restart the services or allow ISA Server to restart them. The reason for manually restarting them after you close the box has to do with the fact that ISA Server waits for some free time before it cycles the services—which may mean that you don’t see the results you’re looking for immediately. Make your selection and click OK. If you opt to cycle the services on your own, navigate to the Monitoring ➣ Services node and cycle the services.
Actually creating the publishing rule is easy as pie once you’ve done your preliminary homework (DNS entries, destination sets, and routing entries). You navigate down through the ISA Management console to the Publishing ➣ Web Publishing Rules node. Right-click the node and select New ➣ Rule. Give the new rule a name, select the appropriate destination set, select the client type, create a rule action, and click Finish. We’ll use Exercise 3.6 to run through the steps. EXERCISE 3.6
Setting Up a Web Publishing Rule 1. In the ISA Management console, navigate down to Publishing ➣ Web Publishing Rules.
2. Right-click the Web Publishing Rules node and select New ➣ Rule. The New Web Publishing Rule Wizard appears.
3. Give the new rule a name—perhaps the name of the site you’re publishing, for example. Click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 127
EXERCISE 3.6 (continued)
4. You’re then prompted for the destination sets that you want to include in this rule. You can pick one, several, or all destination sets that you’ve created, or you can select All Destinations. For now, select Apply This Rule To Specified Destination Set, and select the destination set you created in an earlier exercise. Click Next.
5. Next, you’re asked which types of computers or users are allowed to access the site. You can choose Any Request, Specific Computers (Based Upon Client Address Sets), or Specific Users And Groups. Note that if you select Specific Computers or Specific Users And Groups, authentication will have to be enabled on the external NIC. Select Any Request and click Next.
6. You’re now presented with the Rule Action screen, shown below, the heart of the web publishing rule. ■
You would select Discard The Request if you wanted requests sent to the destination sets referred to in the rule to be dropped (sort of a reverse way of thinking about it—essentially you’re simply shutting off outgoing web requests to destination sets).
■
Select Redirect The Request To This Internal Web Server (Name Or IP Address) when you’re ready to publish the internal web server. You’ll key in either the server’s name or its IP address. Note that the internal NIC of the ISA Server will have to be able to utilize some name service, either WINS or DNS, to resolve the web server’s name if that’s the choice you make.
■
If you select Redirect The Request…, the Send The Original Host Header To The Publishing Server Instead Of The Actual One (Specified Above) check box becomes available. You’ll use this check box in two instances: The first is when you’re publishing multiple webs from one web server on a single external ISA NIC’s IP address, and you want to preserve the host headers so that when ISA sends the request to the web server, it knows to which web to send the request. Second, if you intend to use Outlook Web Access (OWA) to allow e-mail access from internal Exchange Servers through a browser, you’d use this check box.
■
Connect To This Port When Bridging Request As HTTP is used if you have your webs set up on a single web server and each web is set up on a different port (as opposed to using host headers).
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
128
Chapter 3
■
Basic ISA Configuration
EXERCISE 3.6 (continued)
When you create web publishing rules for sites set up this way, you’ll create several rules pointing to the different ports being used by the web server. ■
Connect To This Port When Bridging Request As SSL is the same as the bullet above, except for SSL ports on the internal web server.
■
Connect To This Port When Bridging Request As FTP is the same also, except for FTP sites.
Click the Redirect The Request To This Internal Web Server (Name Or IP Address) button, key in the server’s name or IP address, and click Next.
7. Click Finish to complete the rule.
It appears from the exercise above that you could get pretty intense with the web publishing rules, based upon the way that you have IIS and your various webs set up. In essence, the difference lies in the host header you’re using for the webs and whether you’re hosting on different ports or not. In either case, ISA Server has given you the ability to handle the situation and
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 129
host all webs through a single ISA external NIC. You can increase the granularity associated with this by simply creating client and destination sets that allow only certain hosts (perhaps your telecommuting users) to access the sites (perhaps simply for OWA). The key is thorough planning and understanding the layout of your Internet Information Server (IIS) versus the way that you plan on publishing the webs through the ISA Server. The above exercises work if your web server is different from your ISA Server. If you intend to actually publish your web on the ISA Server itself, then there’s one step you’ll have to go through before you create your Web Publishing Wizard: preparing the IIS portion of your ISA Server to listen to the ISA Server’s internal NIC. Let’s use Exercise 3.7 to accomplish this feat. EXERCISE 3.7
Setting Up IIS to Listen to ISA’s Internal NIC 1. From the ISA Server, choose Start ➣ Programs ➣ Administrative Tools ➣ Internet Services Manager. The IIS Manager MMC opens.
2. Expand the server and right-click Default Web Site, and then select Properties. The Default Web Site Properties dialog box appears.
3. In the IP Address drop-down list, select the IP address of your internal interface and select your ISA Server’s internal NIC address.
4. In the TCP Port text box, key in an arbitrarily high TCP port number such as 12,500. You can verify which ports are currently in use on your server by opening a command prompt and entering the netstat –na command. (See www.iana.org/assignments/ port-numbers for a list of well-known port numbers to stay away from when working through this exercise.)
5. When you are finished, stop and restart the default website, and you’re all set.
Next, you create your web publishing rule very similarly to Exercise 3.6, but when you get to step 6 of the exercise, you’ll key in the 12,500 port that you set up in Exercise 3.7 into the Connect To This Port When Bridging Request As HTTP text box, similar to the graphic shown in Figure 3.2.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
130
Chapter 3
■
Basic ISA Configuration
FIGURE 3.2
Mapping to a specially created IIS port
So there you have it. In your design methodology, figure out how you are going to host your websites, and then make a decision about the correct way to configure the ISA Server web publishing rules that will allow external clients to access the sites.
Protocol Redirection ISA Server supports a function called bridging. The concept is this: Perhaps you would like to afford Internet users the ability to access an internal FTP site using a browser (HTTP). By utilizing ISA Server’s bridging capabilities, coupled with web publishing, you can accommodate this need. You start by creating your web publishing rule as above. Then, after it has been created, edit it and navigate to the Bridging tab. There you’ll see three selections for incoming HTTP requests and three for incoming SSL. They are as follows: Redirect HTTP Requests As: ■
HTTP Requests
■
SSL Requests (Establish A Secure Channel To The Site)
■
FTP Requests
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 131
Redirect SSL Requests As: ■
HTTP Requests (Terminate The Secure Channel At The Proxy)
■
SSL Requests (Establish A New Secure Channel To The Site)
■
FTP Requests
So it turns out that you can bridge from HTTP to SSL or FTP and from SSL to HTTP or FTP. Note that the Bridging tab also allows you to set two other options: ■
Require Secure Channel (SSL) For Published Site
■
Use A Certificate To Authenticate To The SSL Web Server
We’ll talk more in the next section about the last bullet point. In e-commerce situations where you’re publishing commerce-type web servers to the Internet, you can see how you might require a secure channel for the published site. Or perhaps you’re publishing your intranet to the ISA Server for use by telecommuters and you want to make the site as secure as possible.
Using Certificates to Authenticate to an SSL Server Certificates are a very simple concept, but they require some thorough design and engineering planning on the part of the administrator. When it comes to publishing an SSL web server on ISA’s external interface, you must use certificates to accomplish your objective. Start by determining whether you’ll use your own internally created certificates or you’ll use a company like Verisign (www.verisign.com) or Thawte (www.thawte.com). If you’re setting up an extranet solution where you’ll be expecting traffic only from telecommuting-type users, you can use internally developed certs. If you’re setting up a commercial web server, a stronger cert is called for. With internally created certs, you create them on the web server you intend to publish from and then export them to the ISA Server. On the web server, run the Certificates MMC to perform the export operation and export the file to a floppy drive for sneakernet transport to the ISA Server (or to a shared folder on the ISA Server). Then move to the ISA Server and, using the same Certificates MMC, import the certificate. Next, open the ISA Management console, right-click the server, and select Properties to bring up the server’s Properties sheet. Presumably, the interface you want to edit has already been created—if so, highlight it and click Edit; if not, click Add.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
132
Chapter 3
■
Basic ISA Configuration
In the Add/Edit Listeners box, check the Use A Server Certificate To Authenticate To Web Clients check box, and then click Select to pick out the certificate you just imported. Click Apply, close the windows, and restart the ISA Server services. Next, you create a web publishing rule and, using the Bridging tab that we talked about above (which you got to by editing the properties of the web publishing rule), you select the Require Secure Channel (SSL) For Published Site option. You can also enable 128-bit encryption if required. The final thing to think about is that your users won’t be able to access the site through a native HTTP URL call. They’ll have to key in an HTTPS URL to access the site because they’re now accessing an SSL site and need to use the HTTPS protocol. You can take this whole process one step further by bridging your incoming SSL to SSL so that the entire transaction from the ISA Server to the web server is SSL. If you don’t do this, then by default the connection will be SSL from the client to the ISA Server and then HTTP from the ISA Server to the web box. Use the Bridging tab of the web publishing rule’s Properties sheet to set SSL to SSL Bridging. You’ll also have to edit the IIS server’s website properties to expect SSL traffic on this website. In the IIS Administrator console on the web server, navigate to the Directory Structure tab, and in the Secure Communications section, click Edit to open up the Properties sheet for Secure Communications. Click the Requires Secure Channel (SSL) check box. Note that you’d probably not be interested in pushing SSL clear through to the web box unless you have reason to believe that there’s a chance for it to be hacked somewhere between the ISA Server and its website destination (such as a situation where you’re moving from the ISA Server in one campus to the web server in another). Also note that you can opt to use IPSec in place of certificates between the ISA Server and the web server by making the ISA Server a client (respond only) in its IPSec policy and the web server a server (require security) in its IPSec policy. IPSec, by virtue of its capabilities, can really hammer a computer (meaning that it’s CPU- and RAM-intensive), so if there’s no need for tight internal security, forget it and stick with internal HTTP. Figure 3.3 shows these three unique scenarios.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 133
FIGURE 3.3
Three different methods of contact between ISA and web servers
Internet cert Web server
Client
ISA Server HTTP
SSL
Internet cert Web server
Client
ISA Server SSL
SSL using cert
Internet cert Web server
Client
ISA Server
SSL using IPSec
SSL
Note that even if you use IPSec for the internal secure transport of data between the ISA and web servers, a certificate is still required for the external interface of the ISA box. It’s important to understand that ISA requires that a single certificate be attached to a web listener. If you need more than one secure site published, you’ll have to create separate listeners and then go through the process of attaching a different certificate to each listener.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
134
Chapter 3
■
Basic ISA Configuration
If you’re using a third-party certificate, do not attach it to the ISA Server; attach it to the internal web server.
Some Cautionary Notes There are a couple of things you’ll have to keep in mind when setting up web publishing through an ISA Server. First of all, you’ll have to be cognizant of the authentication methodology referred to in step 10 of Exercise 3.5 above. Be aware that this authentication is between the client computer and the ISA computer only. After the client is in the ISA Server door, the authentication method that is set up at the website is then used. If you’ve not set up an authentication method at the website, basic and anonymous credentials are used. If you have set up an authentication method, validation credentials are required of the client again. Note that you cannot use Digest or Integrated authentication at the website itself, even though you may have validated the user at the ISA Server using either authentication method. Second, you should be aware that you’ll probably have to use the ROUTE ADD command to add the routes to the website or sites you’re publishing at the internal ISA NIC. The internal NIC does not have a default gateway; therefore, a route cannot be consulted for the path to the website. Thus, you’ll want to enter a persistent connection into the route list for the ISA Server’s internal NIC. Remember that the command is ROUTE -p ADD ip_address MASK subnet_mask default_gateway METRIC metric IF interface, where interface is the internal NIC’s interface.
Configuring ISA Server for Server Proxy Now let’s look at how to configure ISA Server to act as a server proxy. As a review from Chapter 1, what we mean by server proxy is that the ISA Server is acting on behalf of, or as a proxy to, your internal servers. There is a very subtle difference between server proxy and server publishing.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 135
With server publishing, you can walk through a publishing wizard in order to take care of all of the requirements that you might not have thought of. One of the items that the server-publishing wizard takes care of is the dynamic opening and closing of the port or ports involved with the application. There is no need to create any IP packet filters because the publishing wizard sets up the necessary details for you. But the server-publishing wizard knows about only 19 protocols (as of this writing), so there may be instances where you might need to consider server proxy instead. Server proxy means that you set up on the ISA Server’s external NIC the appropriate IP packet filters that are required for your application. The up-front design determination simply amounts to the following steps: ■
■
■
■
■
Determining the protocol (TCP or UDP) that your server will be using Determining the port number that’s in use Configuring a protocol definition, protocol rule, IP packet filter, and destination set that handles the application transaction work Determining what kind of client the application server will be Assuring that the internal interface can resolve the hostname of the application server
Suppose, for example, that you have a little-known protocol invented by a game manufacturer—let’s call the protocol Starcon. It uses TCP and resides at port 20,350. You desire to publish your Starcon server to the Internet (for what strange reason, we don’t know), so you need to introduce this protocol and set up appropriate ISA Server rules for it. Here’s how to do it. First, you must create the protocol definition: 1. Navigate to the Policy Elements ➣ Protocol Definitions section of
your ISA Management console. Right-click and select New ➣ Definition. 2. Give the new protocol definition an easy name to remember, perhaps
Starcon inbound. 3. In the Primary Connection Information screen, type in the port
number of 20,350, and make sure the protocol type is set for TCP and the direction is Inbound.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
136
Chapter 3
■
Basic ISA Configuration
4. Secondary connections are for more complex systems that pass off
a request that came in on one protocol to a different protocol for processing. Secondary connections aren’t needed for our fictitious Starcon protocol, so we’ll ignore this section. 5. Click Finish to create the new rule, and then double-click the rule to
edit its description to say Starcon Inbound. Next, you must create a protocol rule: 1. Navigate to the Access Policy ➣ Protocol Rule node of your ISA
Management console. Right-click Protocol Rule and select New ➣ Rule. 2. In the Rule Name text box, type in a meaningful name for the rule.
In this case, we’ll call it Starcon. 3. Since you want to allow clients to utilize this rule, select Allow in
the Rule Action section of the wizard. 4. Apply the rule to Selected protocols, and select the Starcon rules we
created previously. 5. Choose an Always schedule. 6. Allow Any Request to access Starcon. (You could easily narrow the
list down to specific users and groups or computers.) 7. Click Finish to complete creating the new protocol rule.
Now you need to create the IP packet filter to handle this rule: 1. The next node down from Protocol Rule in the ISA Management
console is the IP Packet Filters node. Right-click it and select New ➣ Filter. 2. In the IP Packet Filter Name text box, name this filter Starcon. 3. Allow packet transmission. 4. Select Custom from the Filter Type list because there isn’t anything
pre-built for Starcon. 5. The next section, Filter Settings, is where the rubber meets the
road. Select the IP protocol of type TCP. Select a direction of Both, presumably because we’re dealing with a game and there’ll be twoway traffic using this protocol. Make the Local port a Fixed port, and give it port number 20,350; do the same for the Remote port.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 137
6. Apply this packet filter to the Default IP addresses for each external
interface on the ISA Server computer. 7. Apply this filter to all remote computers. 8. Click Finish to conclude creating your new IP packet filter.
Then you need to create a destination set: 1. Navigate to Policy Elements ➣ Destination Sets to create a new
destination set for your Starcon server. Right-click Destination Set and select New ➣ Set. 2. In the New Destination Set text box, key in a name for the
destination. Use something meaningful such as Starcon. (Remember that when we speak of published servers, the destination set is thought of from the external client’s vantage point). In the Description text box, key in a description for your Starcon server. Click Add to add a name or IP address for your Starcon server. 3. In the Add/Edit Destination text box, enter the IP address or
FQDN of your Starcon server. (It’s best not to push the NetBIOS envelope by keying in a machine name.) Click OK to finish the destination set. 4. Ensure that the internal interface of the ISA Server is equipped to
resolve the internal Starcon computer’s name by verifying that Starcon’s references appear in DNS. 5. Ensure server client capability by configuring the Starcon computer’s
default gateway to point to the internal interface of the ISA Server computer, thus making it a SecureNAT client. Woomph, there it is! Sounds like a lot of steps, but in four separate windows, using 10 or 15 minutes of your time, you can publish a server that uses a little-known protocol that isn’t familiar to ISA Server. Another use for IP packet filters and server proxying is configuring ISA Servers on the DMZ. In a perimeter network (another name for the DMZ), you can’t publish your internal servers. Instead, you’ll have to resort to packet filtering, protocol rules (and, if need be, protocol definitions), and destination sets. The key to the whole configuration is the destination set. You’re able to direct external clients to any host on the network, provided the ISA Server can resolve the hostname. Keep in mind (especially for the test)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
138
Chapter 3
■
Basic ISA Configuration
that the Firewall client uses the ISA Server for name resolution, while the SecureNAT client uses its own name-resolution capabilities. Knowing this, you can ensure that clients are able to utilize DNS or WINS nameresolution services for computers they need to access if they’re a SecureNAT client. You can also ensure that the ISA Server itself is duly equipped if Firewall clients are in use. You can also configure Web proxy clients to point to the ISA Server for name-resolution services.
When you think of “server proxy,” think of “IP packet filters.” When you think of “server publishing,” think of “publishing rules.”
Configuring ISA Server for Server Publishing You can publish almost any server application to the Internet for external clients to access. This feature of ISA Server, called server publishing, can be extremely useful if you’re interested in putting certain server functions out on the Web. Some ideas come to mind: ■
■
■
Publishing Terminal Server in administration mode for network administrators to be able to manage the network from the Internet Publishing Terminal Server in application mode for external clients to be able to access internal applications Publishing SMTP e-mail
Keep in mind that web publishing uses ISA’s Web Proxy service while server publishing uses the Firewall service.
There are some things to consider with server publishing. First of all, you don’t need IP packet filters because the publishing wizard sets up dynamic filtering—the opening and closing of ports on demand—making your publishing safer than if you created static packet filters. Also, you won’t use a destination set when you’re working with server publishing. In addition, client address sets can consist only of IP addresses.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 139
Servers that publish to the Internet through ISA Server will in most cases be SecureNAT clients of the ISA Server. There may instances where you have to install the Firewall client and play around with a special configuration file (actually a holdover from the MS Proxy Server 2.0 days) called wspcfg.ini.
E-Mail Server Publishing One use of server publishing centers around publishing e-mail servers onto the Internet either for supporting incoming and outgoing SMTP e-mail (typically on port 25) or for using Exchange Server’s Outlook Web Access (OWA) for extranet access to the internal e-mail system by authenticated users. Either case is valid, though the SMTP use will probably be more desirable at first. Publishing an e-mail server for Internet e-mail If your needs are very basic, that is, you simply want to make your Exchange Server available to Internet clients so that e-mail can be sent back and forth, then the ISA Server has a wizard for you. You can use the Mail Server Security Wizard to create the environment needed to publish your internal e-mail server (it doesn’t have to be Exchange) to the Internet. There’s a slight operational difference between whether your e-mail server software is on the internal network or is installed directly on the ISA Server computer. In the former case, you create protocol rules to allow Internet clients access to the e-mail server. In the latter case, you create IP packet filters instead. Publishing Outlook Web Access through ISA Server You can set up Exchange Servers that are able to host OWA so that telecommuters can access their e-mail over the Internet from anywhere that they can gain access to the Web. This extranet feature is a great convenience for people who have to travel but need to keep up with their e-mail while on the road. No VPN access is required because you’re simply connecting to the ISA Server from your favorite web browser and mapping back to the Exchange Server’s OWA folder. Let’s walk through a couple of exercises to illustrate the creation of the above functions. First, Exercise 3.8 navigates you through the Mail Server Security Wizard.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
140
Chapter 3
■
Basic ISA Configuration
EXERCISE 3.8
Running the Mail Server Security Wizard 1. From the ISA Management console, navigate to Publishing ➣ Server Publishing Rules.
2. Right-click the Server Publishing Rules node and select Secure Mail Server from the shortcut menu. The opening screen of the Mail Server Security Wizard appears, as shown below. Click Next.
3. In the Mail Services Selection window, you select the protocols that will be supported through the ISA Server for the mail server. Note that in most cases, as shown below, you have the choice of Default Authentication or SSL Authentication—you can choose either or both. Checking the Incoming Microsoft Exchange/Outlook Default Authentication check box opens up the NetBIOS and Remote Procedure Call (RPC) protocols and may present too much of a security risk in most environments. (You should use OWA instead). POP3 and IMAP4 are e-mail client protocols. The Network News Transport Protocol (NNTP) may or may not be interesting to you when you’re setting up your mail server security settings because this protocol governs the joining of newsgroups and the reading of information posted on them. The Apply Content Filtering check box allows you to set up SMTP filtering if you want to prohibit a given computer or domain from sending e-mail to your internal server through port 25. For this exercise’s purposes, check all check boxes and click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 141
EXERCISE 3.8 (continued)
4. You’re prompted for the external interface IP address of the ISA Server, as show below. Enter an address in the External IP Address text box and click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
142
Chapter 3
■
Basic ISA Configuration
EXERCISE 3.8 (continued)
5. Now you’re prompted to key in the IP address of the internal mail server or, optionally, to indicate that the e-mail is running on the local ISA Server. In the case of our exercise, enter the address of your Exchange Server and click Next.
6. Click Finish to conclude the Mail Server Security Wizard.
Note that once you’ve finished running the wizard, several new rules appear in the Server Publishing Rules section of the ISA Management console, all prefaced with the phrase “Mail wizard rule.” It’s important to understand that no IP packet filters were created because the Firewall service can dynamically open and close the appropriate ports as needed without benefit of an IP packet filter. Well, that’s pretty straightforward, quick, and easy—great for getting mail servers published to the Internet. But how do we go about setting up ISA so that telecommuters desiring to obtain their e-mail can use OWA from the Internet? Let’s use Exercise 3.9 to see how this is done.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 143
EXERCISE 3.9
Setting Up ISA Server for OWA A prerequisite to this exercise is that you must have Internet Information Server (IIS) installed on the Exchange Server you wish to publish. This is because OWA depends on IIS for its capabilities.
1. Start by creating a destination set for the new OWA capabilities. Navigate through the ISA Management console to Policy Elements ➣ Destination Sets. Right-click Destination Sets and select New ➣ Set. In the New Destination Set window, give this new set a meaningful name such as For OWA, and in the Name/IP Range field, give it the address of the ISA Server’s external interface.
2. Click the Add button to reveal the Add/Edit Destination dialog box, as shown below.
3. In the Add/Edit Destination dialog box, in the Path text box, type in /exchange/*. Then click OK. The path will then appear in the New Destination Set window, as shown on the following page.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
144
Chapter 3
■
Basic ISA Configuration
EXERCISE 3.9 (continued)
4. Repeat steps 2 and 3 twice, the first time keying in the path of /exchweb/* and the second time the path of /public/*. You’ll wind up with a screen similar to the one shown below. Click OK to complete the creation of the OWA destination set.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring ISA Server Hosting Roles 145
EXERCISE 3.9 (continued)
5. Since OWA is actually a web app, we’ll use a web publishing rule to finish up its publication. From the Publishing ➣ Web Publishing Rules node of the ISA Management console, right-click and select New ➣ Rule.
6. Give the rule a name similar to the destination set you just created— OWA or Outlook Web Access will do. Click Next to open the Destination Sets window.
7. In the Destination Sets window, from the Apply This Rule To dropdown list box, select Specified Destination Set. Then when the additional drop-down list boxes appear as a result of making this selection, choose the OWA destination set you just created. Click Next.
8. In the Client Type screen, select Any Request and click Next. 9. In the Rule Action screen, select Redirect The Request To This Internal Web Server (Name Or IP Address), and in the box that opens up, add either the name or the IP address of the server that’s providing OWA. Also click the Send The Original Host Header To The Publishing Server Instead Of The Actual One (Specified Above) check box. Click Next.
10. Click Finish to conclude creation of the web publishing rule.
In most cases, you’ll likely be replacing an existing firewall server or augmenting it, and you’ll probably already be hosting your port 25 activities through this existing firewall (which in many cases might be a Microsoft Proxy Server 2.0 installation). So a good design plan would involve the methodology you’ll use when you cut over from the old to the new, with few drop-in Internet e-mail capabilities while the cut is being made. My guess is that you’ll opt to simply put the new server in place of the old, because if you don’t, you’ll have to reconfigure lots of workstations’ default gateways to point to the new server—something that’s doable through DHCP but takes quite a bit of time. Sliding a new box in place of the old box, with the new taking over the IP address information from the old, is a good way of quickly solving the problem. However, you must do ample testing to make sure that you have the rules tightened down before you put the new computer into production.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
146
Chapter 3
■
Basic ISA Configuration
So How Do You Test the New Box Anyway? You’re testing a new ISA Server. You want to make sure that you’ve tweaked it properly before you put it into production. Putting nonoptimized computers into production usually results, at a minimum, in user unhappiness and could potentially create a lot of user havoc. The key to this kind of testing is to closely duplicate the production scenario without going into production to get your testing done. There’s probably no reason why you can’t hang your ISA Server off the perimeter of the network alongside your existing firewall solution so that you can test it live and on the Internet. Set up a few internal workstations with the default gateway of the new ISA Server’s internal interface. Use these as test machines to verify that Internet connectivity is working. Set up your server and web publishing rules. Use some external computers to traverse the Internet and hit your new ISA Server to see if the rules are working. The only place you’ll run into some difficulty is in the DNS naming structure you’re going to use for this new server. If you get your DNS name entered and set up early on, external users can hit your new box by name. If not, do your testing by IP address, realizing that you still may face a name-resolution issue. When you’re satisfied that the new computer has gone through ample testing, you can go ahead and put it into production. Do this during a maintenance window after production hours so you impact as few users as possible. As always, communicate, communicate, communicate, so that users and stakeholders are aware of what you’re doing. Test the implementation right after you put it into production. Have the troubleshooting staff available during the first production hours to put out any initial fires. Include all of this work in a project plan and, above all, include a backout procedure in your plan so that all stakeholders are aware of how you’ll back out should anything go wrong.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 147
Configuring H.323 Gatekeeper for Audio and Video Conferencing
N
ow let’s talk about setting up an H.323 Gatekeeper for your NetMeeting clients. You start by creating a destination or destinations and then create your phone, e-mail, and IP address rules. We follow this order in the sections below. The H.323 Gatekeeper that comes with ISA Server is there for the purpose of allowing your H.323 clients to contact another H.323 client across the Internet by e-mail address or phone number through safe gateway connections. Generally speaking, when we talk about the H.323 client in the Microsoft server world, we’re talking about the Microsoft NetMeeting client, although certainly there are others such as White Pine’s CUSeeMe Pro and Sun’s SunForum.
See http://www.openh323.org/h323_clients.html#sunforum for a list of H.323 clients.
What does NetMeeting do? It’s a user interface that is designed to allow you to connect with another NetMeeting user (or other H.323 client) by phone or over the Internet. It provides capability for the following functions: ■
Video and audio conferencing
■
Virtual whiteboard
■
Chat
■
Internet directory
■
File transfer
■
Program sharing
■
Remote desktop sharing
■
Advanced calling
■
Security
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
148
Chapter 3
■
Basic ISA Configuration
Users who have suitably equipped computers (see www.microsoft.com/ netmeeting for minimum specifications) can contact one another, view one another, talk to one another over microphones, and collaborate and share documents utilizing the features of the software. If you are running a Windows operating system and have NetMeeting installed, when you first try to run the product, you’re presented with an introductory wizard that walks you through the basic setup components. You’re asked for your first and last names and your e-mail address. NetMeeting utilizes the e-mail address when someone tries to contact you by e-mail address, similarly to a regular phone directory. It uses the names to publish your entry in the directory, although, like the phonebook, you can opt out of publication. You’re also prompted with a speaker test and a microphone test as well as a test of the speed of your connection to the Internet. Once the wizard has finished, the NetMeeting interface comes up, as pictured in Figure 3.4. FIGURE 3.4
The NetMeeting client
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 149
NetMeeting provides functionality that Exchange 2000’s Instant Messaging (IM) does not provide, although Exchange 2000’s Conferencing server is designed to interface with NetMeeting clients. Exchange 2000 provides full H.323 support in addition to ISA Server support.
NetMeeting uses a directory locator service called the Internet Locator Service (ILS) in order to find people with whom to share a NetMeeting virtual conference. Microsoft publishes its own directory on the Internet, or you can choose to host your own ILS for internal NetMeeting sessions. When you install and configure the H.323 component of ISA Server, you do away with the need for an ILS. There is a minor problem with this, however, and that is that clients who are not behind an ISA gateway cannot connect with your NetMeeting client (unless your ISA Server is acting as an ILS). The reason for this is that the ISA H.323 Gatekeeper was designed with three purposes in mind: ■
■
■
To facilitate user-to-user calling via an intranet (probably the most functional usage and the one with the most usefulness) To provide a way for one ISA Gatekeeper to call and register with another Gatekeeper (keeping hosts from using NetMeeting directly on the Internet) To provide a way for an IP network to contact a Public Switched Telephone Network (PSTN) gateway
In other words, the Gatekeeper is to be used to facilitate internal client–to–internal client NetMeeting sessions and not for ordinary overthe-Internet sessions that one might arbitrarily set up for some other purpose than to collaborate on a given project or document. The concept is business-oriented in nature and provides a way that users across the Internet can virtually collaborate on things, including the ability to take over another user’s computer.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
150
Chapter 3
■
Basic ISA Configuration
The H.323 Gatekeeper is an optional ISA Server installation component. If you’ve not installed it, you’ll need to do so in order to avail yourself of its capabilities.
When the NetMeeting client runs through the first wizard screen and you configure it with the first and last names and e-mail address, it is ready to be used to connect to any ILS. But in the ISA Server H.323 Gateway world, we’ll not be using an ILS, so it’s important to configure the NetMeeting client so that it uses the Gatekeeper instead. We’ll use Exercise 3.10 to run through the steps involved in configuring the NetMeeting client.
EXERCISE 3.10
Configuring the NetMeeting Client for the ISA H.323 Gatekeeper 1. Open the NetMeeting client and choose Tools ➣ Options. Then click the Advanced Calling button. The Advanced Calling Options window appears.
2. Put a check in the Use A Gatekeeper To Place Calls check box. 3. In the Gatekeeper section, key in the FQDN or IP address of the internal interface of the ISA Server running the Gatekeeper.
4. Check the Log On Using My Account Name check box, and in the Account Name text box, key in the account name.
5. Check the Log On Using My Phone Number check box (if desired), and in the Phone Number text box, key in the phone number (remembering to exclude the dashes).
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 151
EXERCISE 3.10 (continued)
6. Click OK twice to go back to the NetMeeting client. If the H.323 Gatekeeper is running, the client will connect with the Gatekeeper and a system tray icon of two monitors will appear.
Note that NetMeeting clients on the Internet can contact NetMeeting clients on the internal network and behind an H.323 gateway, provided that they configure the NetMeeting client with the address of the external interface of the ISA Server within the NetMeeting software. Here’s how: 1. In the NetMeeting client, choose Tools ➣ Options. 2. From the General tab of the Options dialog box, click the Advanced
Calling button to open the Advanced Calling Options window. 3. In the bottom frame of the window (the Gateway Settings frame),
check the Use A Gateway To Call Telephones And Videoconferencing Systems check box. Then key the FQDN of the external interface for your ISA Server into the Gateway text box, as shown in Figure 3.5. 4. Click OK twice to finish the configuration of the client.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
152
Chapter 3
■
Basic ISA Configuration
FIGURE 3.5
Configuring an Internet-based NetMeeting client to access NetMeeting clients behind an ISA Server H.323 Gatekeeper
Configuring Gatekeeper Destinations by Using the Add Destination Wizard Configuring the Gatekeeper is very easy. You begin by creating a destination so that ISA Server can utilize the routing rules and know where to send the request for a NetMeeting connection.
Configure H.323 Gatekeeper for audio and video conferencing. ■
Configure gatekeeper destinations by using the Add Destination Wizard.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 153
Note that if you’ve not yet configured an initial H.323 Gatekeeper, even though you’ve installed the software for it, you’ll have to start by setting up a computer as a gateway. Right-click the H.323 Gatekeepers node and select Add Gatekeeper. Then select this computer or a different one on which you wish to host the H.323 Gatekeeper role. Keep in mind that there are two components to the H.323 Gatekeeper installation—the admin tools and the actual Gatekeeper software. If you install the Gatekeeper without the admin tools, when you look in the ISA Management console you won’t see any H.323 node. Watch the installation options with caution.
To create a destination, follow these steps: 1. Start by navigating down through the ISA Management console to
H.323 Gatekeepers ➣ Your_Server_Name ➣ Call Routing ➣ Destinations. 2. Right-click Destinations and select Add Destination. The Welcome
To The New Destination Wizard screen appears. Click Next. 3. You’re presented with a choice of destination types, as shown in
Figure 3.6. Choose Gateway Or Proxy Server if you wish to configure this server as an H.323 gateway. Choose Internet Locator Service (ILS) if you desire to send calls to a non-Internet ILS. Choose Gatekeeper if you want to send requests to a different gatekeeper on the network. Select Multicast Group if you have multiple gatekeepers and want to use a call request to the multicast address of 224.0.1.41 instead of trying to send to a specific gatekeeper—use this option for a large, disparate array of gatekeepers. For this exercise, select the first option and click Next. 4. In the Destination Name Or Address text box, type in the FQDN or
IP address of the destination you’re configuring. Click Next. 5. In the Description text box, type in a description for the destination
and then click Next. 6. Click Finish to conclude the wizard’s operation.
Finally, you must make sure that the H.323 application filter is enabled and that the proper settings are applied on the Call Control tab: Allow Incoming Calls and Allow Outgoing Calls. Set up a protocol rule to allow the H.323 protocol by navigating in the ISA Management console to Server_Name ➣ Access Policy ➣ Protocol Rules.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
154
Chapter 3
■
Basic ISA Configuration
FIGURE 3.6
Running the Gatekeeper New Destination Wizard
Configuring Gatekeeper Rules Now that you’ve set up the destination, you’re ready to create your gatekeeper routing rules. All of the rules use the same basic wizard, although the options change a bit depending on the rule that you’re configuring. There are three gatekeeper rules that you can configure: ■
Phone number rule or rules
■
E-mail rule or rules
■
IP address rules
Configure H.323 Gatekeeper for audio and video conferencing. ■
Configure gatekeeper rules. Rules include telephone, e-mail, and Internet Protocol (IP).
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 155
Phone Number Rules We start with the phone number rules. There are several reasons why you’d use a phone number rule for your H.323 Gatekeeper, but most of them center on the fact that the registration database, while able to grow exceedingly large (50,000 clients), may become too cumbersome for some implementations. Because a phone number rule gives you the ability to filter on the phone number, most specifically its prefix, you can set up various gatekeepers that handle certain prefixes. Recall when we were setting up the destination and one of the destination options was Gatekeeper. This option is there because it’s possible, especially in large companies, to set up a group of gatekeepers, each of which may be responsible for its own grouping of phone numbers—probably centered on the phone number prefix. You could have a group consisting entirely of the 303 prefix, for example, another that’s entirely 970, and so on. You could even set up a gatekeeper on the Internet that used a completely different prefix such as 709, for example. Use the Gatekeeper destination when you have a complement of gatekeepers that you’re configuring and you want your rules to fire on a specific gatekeeper component, thus keeping down the registration database size for each gatekeeper server. You can also use phone number rules when you’re attempting to access a Voice over IP (VoIP) system or an IP-to-PSTN-type system. Refer to www.cisco.com for some power entries into the VoIP world (not the smallest, but possibly not the biggest VoIP player either). To create a phone number rule, follow these steps: 1. Right-click the Phone Number Rules node of the ISA Management
console and select Add Routing Rule. The Welcome To The New Routing Rule Wizard screen pops up. Click Next. 2. Key in a name and a description for the phone number rule, and
then click Next. 3. Enter the phone’s prefix or the entire phone number. If you want to
sort on the prefix, simply key in the prefix and then click Next. Note that the Route All Phone Numbers Using This Prefix check box is checked by default—something you may have to think about whether to use or not.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
156
Chapter 3
■
Basic ISA Configuration
4. Select your destination type from the following choices: None (No
Destination), Registration Database, Gateway Or Proxy Server, which is the default, Gatekeeper (May Reside In Another H.323 Zone), or Multicast Group (Used By Multicast Gatekeepers). Unless you have something exotic going on, stick with the default Gateway Or Proxy Server, and click Next. 5. Select the destination for the routing rule to use. This is the
destination that we just finished creating previously. Click Next. 6. The next screen asks how you want to prepare the final phone
number. You can opt for Discard Digits, which means that the system will truncate the prefix before sending. You could use this as a semaphore-type routing system in which all of your Campus A clients are configured with a prefix of, say, 777 and your Campus B clients are configured with 888. When Campus A sends a call to Campus B, the prefix is stripped off and the call is routed to the phone number that matches the phone number in Campus B’s registration database. Use this technique when you have dissimilar H.323 Gatekeepers that have not implemented the same routing methodologies. You also have the choice of Add Prefix, which allows you to add a prefix to the number. Make any changes you desire and then click Next. 7. Key in a routing metric for this rule. You can order the rules by
using different routing metrics. Click Next. 8. Click Finish to complete the rule. The new rule shows up in the
Details pane of the ISA Management console. Note that there’s already a rule there called Local, which, for lack of any other rules, puts the phone number into the local registration database. You can key in as many phone routing rules as you wish, paying special attention to the setup of multiple gatekeepers relative to the prefixes that you’ll use. In a large deployment of several gatekeepers, I think I’d sit down with some stakeholders in a room and whiteboard the entire routing scenario before digging into the Management console and creating them.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 157
E-mail Address Rules The e-mail address rules are set up in basically the same manner as the phone number rules. Note that if you’ve gone to the trouble of setting up the Q931 SRV resource record (see the Design Scenario below) in your DNS servers across your network, you won’t need to set up any routing rules. 1. Navigate to the H.323 Gatekeepers ➣ Server_Name ➣ Call
Routing ➣ E-mail Address Rules node of the ISA Management console. 2. Right-click E-mail Address Rules and select Add Routing Rule from
the shortcut menu. The Welcome To The New Routing Rule Wizard screen appears, as shown in Figure 3.7. Click Next. FIGURE 3.7
The opening screen of the New Routing Rule Wizard
3. Type in the name and a description of your routing rule, as shown in
Figure 3.8. Click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
158
Chapter 3
■
Basic ISA Configuration
FIGURE 3.8
The Name and Description fields of a sample routing rule
4. In the Domain Name Suffix dialog box, type in the DNS domain
name for your e-mail addresses, as shown in Figure 3.9. If all e-mail addresses use the same DNS suffix, then leave the Route All E-mail Addresses That Include This General DNS Domain Name check box checked (it is checked by default). Click Next to continue. FIGURE 3.9
The Domain Name Suffix dialog box of a sample routing rule
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 159
5. You’re presented with the same Destination Type dialog box as in
the phone number rules wizard, but this time three new entries appear: Internet Locator Service (ILS), DNS (Using The Domain Part Of The Address), and Active Directory (Using The NTDS User Object ipPhone Attribute), as shown in Figure 3.10. There are some things to note regarding this Destination Type screen. You can select Registration Database if there are active registrations in the database (see the Terminals node of ISA’s Gatekeeper section to determine which users have registered). However, the database has a time to live (TTL) of only six minutes, at which time the user is asked if they wish to re-register. If they do not re-register, the registration is dropped from the list. Thus, the registration database could create problems for you with hit-or-miss NetMeeting users. Note that the NTDS ipPhone attribute is used for Voice over IP (VoIP) telephony users. Generally, you’ll stick with the default Gateway Or Proxy Server selection and click Next. FIGURE 3.10
The Destination Type screen of a sample routing rule
6. You’re next asked for the destination to which clients will be routed.
You must create this destination prior to initiating the phone number or e-mail rules, and we ran through the steps previously. Figure 3.11 shows a sample destination.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
160
Chapter 3
■
Basic ISA Configuration
FIGURE 3.11
The Destination Name screen of a sample routing rule
7. You’re then prompted to enter a metric for this rule (the default of
which is 1), as shown in Figure 3.12. Key in a metric that most accurately describes this rule’s order in the gatekeeper scheme of things, and click Next. FIGURE 3.12
The Routing Rule Metric screen of a sample routing rule
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 161
8. Click Finish to conclude the wizard.
Remember that NetMeeting clients utilize either an e-mail address or a telephone number to register with a gatekeeper registration database. Even though the database can hold around 50,000 entries, that doesn’t imply that you’ll opt to use a single gatekeeper for all registrations. In smaller installations, a single gatekeeper might make sense, but in larger enterprises, an array of ISA gatekeepers might admirably fit into the picture. You must do some design work up front to determine how users will access the registration directories (phone number or e-mail) and which ones they will use.
IP Address Rules Finally, we can set up IP address rules to access clients via the registration database. This is an unlikely choice for you because most users utilize DHCP and thus don’t necessarily have the same IP address from day to day. Also, users are not attuned to the idea of an IP address, so this isn’t the friendliest method of setting up registrations. The wizard basically runs the same way: 1. From the H.323 Gatekeepers ➣ Server_Name ➣ Call Routing ➣ IP
Address Rules node of the ISA Management console, right-click IP Address Rules and select Add Routing Rule. Click Next. 2. Key in the name and a description for the rule, and click Next. 3. In the IP Address Pattern screen, key in the IP address or network ID
of the IP addresses that will participate, along with a valid subnet mask. This screen is shown in Figure 3.13. Click Next. 4. This time, the Destination Type window has the Registration
Database, Internet Locator Service (ILS), DNS (Using The Domain Part Of The Address), and Active Directory (Using The NTDS User Object ipPhone Attribute) buttons grayed out and a new button highlighted: Local Network (Recipient Resides In The Same Network As The Caller). Select the Destination Type and click Next. 5. The Destination Name is the same as the one we created previously.
Highlight it and click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
162
Chapter 3
■
Basic ISA Configuration
FIGURE 3.13
The IP Address Pattern screen of a sample routing rule
6. The metric is the same in all the rules and defaulted to 1 (typically
the best choice). Key in a metric or simply click Next. 7. Click Finish to conclude the wizard.
You’ve learned that you first create a destination, and then you create your phone number, e-mail, and IP address rules. You’ve also learned that the destination doesn’t necessarily have to be on the ISA Server you’re currently working with—there can be other ISA Servers out there participating in the gateway process. You can leverage the phone number prefix to isolate various registration databases by prefix. You can use the e-mail address in the same way, isolating by DNS domain name. You’ll probably not delve a lot into the IP address rule unless you have statically assigned client IPs.
Speaking of static entries, you can create a statically assigned user (statically inserting their call information into the registration database) by right-clicking the Active Terminals node of the ISA Management console and selecting Register Static User. External clients who connect in this way must have a static IP address.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 163
Gatekeeper-to-Gatekeeper (LAN-to-LAN) H.323 and DNS Here’s an interesting design issue. Suppose that you want to utilize your H.323 Gatekeeper installation between two LANs. For example, perhaps you have two workgroups that are collaborating on a single project, and they’re on separate LANs, perhaps a great geographic distance from one another. You can set up the H.323 Gatekeeper between two ISA Servers in an array and thus provide NetMeeting connectivity for the users in the various workgroups. This way, they can contact one another, use small web cameras for video, use microphones and speakers for audio, participate in meetings using a virtual whiteboard, and actually collaborate on documents such as MS Project projects, Word and PowerPoint presentations, and Excel spreadsheets. If one of the participants needs a hand doing something, you can—provided the user gives permission—even take over their Desktop. So there’s quite a little bit of collaborative power in this NetMeeting client. But here’s the tricky part—okay, maybe not so tricky. In order for the user’s e-mail address to be used as the phone number that NetMeeting clients call, which is an way easy way of making contact with another NetMeeting participant, you have to tweak the Windows 2000 DNS servers. The DNS servers don’t have to be Windows 2000, but they do have to be capable of hosting SRV records. In particular, you need an SRV record of type Q931. You’ll open your friendly DNS console and right-click the domain you’re interested in modifying. Select Other New Records. A Resource Record Type dialog box will appear, where you can select Service Location and then click Create Record, as shown in the graphic at the top of the following page.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
164
Chapter 3
■
Basic ISA Configuration
In the New Resource Record window’s Service field, key in _q931 (noting the leading underscore). In the Protocol field, leave the setting at the default of _tcp. In the Port text box, type in 1720. And in the Host Offering This Service text box, type in the name or IP address of your ISA Server’s external interface, as in the graphic shown below. Click OK.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 165
One item of interest here is that while you greatly ease the NetMeeting client’s ability to contact another host (all they need to know is the e-mail address of the party being contacted), the client has no lookup capabilities to derive the address as you do with ILS.
Setting Up and Troubleshooting Dial-up and Dial-on-Demand Connections Not all corporate networks connect to the Internet via some sort of highspeed line—T1 (1.544Mbps) or higher. Some ISA Server installations connect to the Internet through some type of dial-up connection. Since the Microsoft Proxy Server days, administrators have been able to set up their proxy servers so that when a user wanted to connect to the Internet, the server would handle the details of calling the ISP and setting up the connection. You’ll use the Windows 2000 feature Routing and Remote Access Service (RRAS) for your connectivity in cases such as these.
Chapter 4 will cover some more material on the topic of ISA Server and RRAS.
The dial-up connection doesn’t necessarily have to be a Plain Old Telephone System (POTS) line connection. Things like Integrated Services Digital Network (ISDN) and X.25 are RRAS clients, while Digital Subscriber Line (DSL) and cable modem can be considered RRAS clients. I say “can be” with DSL and cable modem because if you have an external modem with these systems, you’ll have a NIC installed in your server that’s plugged into the modem. So from that perspective, it looks to the server like any other network connection—it just happens to be going out over a DSL or cable modem circuit. The NIC has an IP address issued by the ISP and is considered to be just another client on the ISP’s network. In a case like this, if the NIC connected to the cable or DSL modem is in the ISA Server, it is the ISA Server’s external interface. You can set up cable and DSL so that their Ethernet cable plugs into a switch or hub. In such a case, I would set up your ISA Server so that it had two NICs, one that plugged into the cable modem’s switch or hub and another that plugged
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
166
Chapter 3
■
Basic ISA Configuration
into a switch or hub for your internal clients. Remember that we’re talking about small networks here, probably single-building, single-subnet networks. You’ll probably install a Windows 2000 Server installation that runs Internet Connection Sharing (ICS) or Network Address Translation (NAT), both of which are enabled through RRAS (one or the other—they cannot run together).
Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections.
With dial-up connections, you’ll have to set up a phonebook entry so that the ISA Server knows whom to call. You have a two-step process to go through: ■
Set up your RRAS phonebook entry.
■
Set up an ISA Server dial-up entry.
Setting up the phonebook entry is easy. You must, of course, first install RRAS, but once it’s running, you can immediately set up your phonebook entries. Here’s how: 1. From the ISA Server, choose Start ➣ Settings ➣ Network And Dial-
up Connections. 2. Double-click the Make New Connection Wizard and follow the
prompts to set up your new phonebook entry.
Connections in the Network And Dial-Up Connections window are called sometimes connectoids.
Next, you go into the ISA Server’s Management console and create a dial-up entry that will key off of the RRAS phonebook entry you just created: 1. Navigate through the ISA Management console to Servers And
Arrays ➣ Server_Name ➣ Policy Elements ➣ Dial-up Entries. 2. Right-click Dial-up Entries and select New Dial-up Entry. The New
Dial-up Entry window appears.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 167
3. Key in a Name and Description for your dial-up entry. 4. Click the Select button and select your previously created RRAS
phonebook entry. Click OK to return to the New Dial-up Entry window. 5. Click Set Account to set up the account and password with which the
dial-up entry will be connecting to the ISP. Click OK to return to the New Dial-up Entry window. See Figure 3.14 for an example of what the new entry might look like. FIGURE 3.14
The finished ISA dial-up entry
6. Click OK to finish the new entry. The new entry will appear in the
Details pane of the Dial-up Entries node. You can change the name and description of your new ISA dial-up entry simply by double-clicking it within the Details pane to bring up the Properties sheet for the new entry. The name and description are handled through the General tab of its Properties sheet. The Bandwidth tab, shown in Figure 3.15, shows that you can throttle the bandwidth that the connection will use when it connects to the Internet.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
168
Chapter 3
■
Basic ISA Configuration
FIGURE 3.15
The Bandwidth tab of the Properties sheet for a new ISA dial-up entry
For multiple dial-up entries, right-click the one that you want to be the predominantly active connection in the Details pane, and select Set As Active Entry from the shortcut menu.
Note that the default bandwidth throttling is 1Kbps. If you’re not paying attention and you enable bandwidth throttling, your ISA Server’s Internet connection could run mighty slowly.
Setting up demand-dial is just as easy. After you’ve created your RRAS phonebook entry, right-click it and select Properties to bring up the entry’s Properties sheet. Navigate to the Sharing tab, and click the Enable Internet Connection Sharing For This Connection check box. As soon as you click that check box, a second one, Enable On-Demand Dialing, will activate and be already checked and ready to go, as shown in Figure 3.16.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 169
FIGURE 3.16
Both ICS and On-Demand Dialing are enabled for this phonebook entry.
Enabling ICS automatically sets the NIC’s interface to the reserved IP address of 192.168.0.1, and the DHCP scope for this network ID is created as well. Statically assigned IP addresses should be reconfigured to use DHCP, or their ICS/demand-dial connectivity will not work, as shown in Figure 3.17. FIGURE 3.17
The ICS warning box
You can get into more robust RRAS scenarios when you run the Routing And Remote Access Server Setup Wizard. Choose Start ➣ Programs ➣ Administrative Tools ➣ Routing And Remote Access. Rightclick your server, and click Configure And Enable Routing And Remote Access. Select to install as an Internet connection server from the Common Configurations screen. Run through the Routing And Remote Access
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
170
Chapter 3
■
Basic ISA Configuration
Server Setup Wizard, opting to install NAT instead of ICS. You can choose to use an already created phonebook entry or set up a new one for demand-dial. Figures 3.18 and 3.19 show the NAT and demand-dial screens, respectively. FIGURE 3.18
Running the RRAS Setup Wizard and opting for NAT
FIGURE 3.19
Running the RRAS Setup Wizard demand-dial phonebook entry
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring H.323 Gatekeeper for Audio and Video Conferencing 171
Firewall Chaining Now we need to talk about a bizarre thing called firewall chaining. The concept behind firewall chaining is that you have an ISA Server set up in a different locale than your primary ISA Server and you want to forward Internet requests to the primary host server. Firewall chaining works for SecureNAT, Firewall, and Web proxy clients all the same way. You can utilize your ISA dial-up entry in a firewall-chaining methodology. Here’s how: 1. From the ISA Management console, navigate to Servers And
Arrays ➣ Server_Name ➣ Network Configuration. 2. Right-click Network Configuration and select Properties to open
the Firewall Chaining Properties sheet for this server. 3. Click the Chain To This Computer radio button. 4. In the Name text box, key in the name of the ISA Server you want
to chain to, and then click OK. 5. Check the Use This Account check box, and key in the access
account if necessary. 6. Click the Use Dial-up Entry check box to use the active dial-up
entry to connect to this computer. This will cause the server to use the active dial-up entry to forward requests to the designated server. Note that you should pretest your phonebook entry to make sure it’s able to connect to the other server. Figure 3.20 shows the completed entry. 7. Click OK to establish the chaining rule.
Troubleshooting dial-up entries is handled in Chapter 8. Basically, though, the majority of things that go wrong revolve around one of three causes: ■
Invalid logon credentials
■
Hardware problems
■
Incorrect software settings
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
172
Chapter 3
■
Basic ISA Configuration
FIGURE 3.20
Firewall chaining using a dial-up entry
We will end with a note that you can create routing rules that forward requests to a specified destination by using a dial-up connection. Following are the steps to accomplish this: 1. From the ISA Management console, navigate to Servers And
Arrays ➣ Server_Name ➣ Network Configuration ➣ Routing. 2. Right-click Routing and select New ➣ Rule. 3. Give the rule a meaningful name, and then click Next. 4. Select the destination to which this rule applies, and click Next. 5. The next section of the wizard, called Request Action, has two
different scenarios in which you may supply a dial-up entry for action: Retrieve Them Directly From Specified Destination and Route To A Specified Upstream Server (as shown in Figure 3.21).
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Summary 173
FIGURE 3.21
Using dial-up entry in a routing rule
6. Select the destination action and click the Use Dial-up Entry check
box to utilize a dial-up connection for the action. (Note that the phonebook and dial-up rule must already be present.) Click Next, and work your way to the end of the wizard.
Array Members When you have members of an ISA Server array that utilize dial-up connections, there must be a connectoid for each array member and it must have the same name as every other array member’s connectoid. Even though this may seem like a limitation, you can change the phone number that each connectoid references.
Summary
I
n this chapter, we talked about the various ISA Server hosting roles. We began our discussion with the initial ISA Server deployment and troubleshooting problems with outbound Internet access. We presented the
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
174
Chapter 3
■
Basic ISA Configuration
open-door method to establish that your ISA Server is actually working. In this scenario, you begin with a completely open rule set and then tweak it as you go until you get the server locked down to the point where you want it. Next, we talked about web publishing with ISA Server. While this feature is straightforward, there a few things to keep in mind. One is that DNS name-resolution capability is everything in the web publishing environment. For every different prefix you’ll be using in the DNS domain name, you’ll want to have a separate A or CNAME record in your ISP’s DNS box or your own Internet-based DNS computer. We also talked about the concept of bridging, whereby, for example, you receive an HTTP packet but turn the request toward FTP. We also talked about how you can use certificates to handle secure web publishing. Next, we talked about setting up ISA Server for server proxy. Basically, what’s meant by that is that you create packet filters on the ISA Server in order to filter the kind of protocols you’re willing to allow inside the door. Server proxy is predominantly used on the DMZ where server publishing doesn’t make as much sense. We also talked about server publishing—the concept that you’re going to allow external clients to access some internal non-web server. For example, you might decide that you’d like to set up a terminal server so that users can run internal applications from the Internet. We talked about publishing e-mail on the Web by using the E-mail Publishing Wizard. We also discussed how to configure Outlook Web Access (OWA) for Internet connectivity and how its configuration utilizes a web publishing rule, not a server publishing rule, because OWA is, after all, a web application. Next, we discussed the H.323 Gatekeeper and showed you why you’d use a gatekeeper for your NetMeeting calls and why you might not want to use a gatekeeper. We ran through the basics of NetMeeting and how you configure the product so it can go through a gatekeeper instead of an Internet Locator Service (ILS). Finally, we talked about dial-up and demand-dial connections and showed you how you first create a Routing and Remote Access Service (RRAS) phonebook entry and then go into ISA Server’s Management console and configure a dial-up entry. We also showed you how to chain to another ISA Server using dial-up.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Exam Essentials 175
Key Terms
B
efore you take the exam, be certain you are familiar with the following terms: Public Switched Telephone Network (PSTN)
A record CNAME record
redirection
firewall chaining Internet Locator Service (ILS)
server publishing
Mail Server Security Wizard
Exam Essentials Know and understand the three ISA Server hosting roles. Pay special attention to the web publishing role, the protocols involved, bridging, and the need for accurate DNS entries. Understand what the H.323 Gatekeeper is, what its function in life is all about, and how to configure it. It’s also important to understand the pitfalls associated with using the Gatekeeper (such as your inability to contact an ILS for registration information). Be able to troubleshoot inbound and outbound Internet access. If you’ve taken Microsoft’s tests before, you’re keenly aware that they’re very big on troubleshooting questions. And this test is no different. The majority of the questions start with some iteration of “You’re the administrator of…” and end with “Your users are having trouble….” Understand how to configure RRAS dial-up phonebook entries along with ISA Server dial-up entries and why ISA needs to utilize both. It’s important to understand the interworkings between RRAS and ISA Server—why you’ll have to make a phonebook entry along with an ISA dial-up entry to get things to work.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
176
Chapter 3
■
Basic ISA Configuration
Review Questions 1. You have recently configured a stand-alone ISA Server. You’ve
configured a protocol rule that allows HTTP, HTTPS, and FTP; however, you’re receiving complaints that none of your internal users can access the Internet. What could be the problem? (Choose all that apply.) A. You’ve not yet created a site and content rule. B. You must create a destination set that includes the entire
network. C. You need to create IP packet filters to handle the outbound
protocols. D. You need to create a routing rule. 2. You’re trying to configure your ISA Server for H.323 Gatekeeper
connectivity so that internal and external NetMeeting clients can virtually collaborate (see exhibit). You have the destination, e-mail, and phone rules set, but your external clients are unable to access the Gatekeeper. What could be the problem? ISA Server (H.323 Gatekeeper) Internal NetMeeting client
Internet
External NetMeeting client
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 177
A. External NetMeeting clients cannot participate in H.323
Gatekeeper. B. External NetMeeting clients should adjust their software to use a
gateway to call telephones and videoconferencing systems. C. External clients lack an entry in the registration database. D. The H.323 filter is disabled. 3. You have a two-node ISA Server array, one server in Campus A
and one in Campus B. The campuses are separated by 200 miles but are connected by a fiber optic circuit. You’d like to set up two gatekeepers in such a way that NetMeeting users in either building who wanted to set up a virtual conference with whomever they chose could do so (see exhibit). If clients in Campus A want to connect only to other clients in Campus A, they should be able to do so in the quickest and easiest way possible. What would be the best way to go about accomplishing this? Campus B NetMeeting client
Campus A NetMeeting client
ISA Server (H.323 Gatekeeper)
ISA Server (H.323 Gatekeeper)
Campus A NetMeeting client
A. Set up a routing rule. B. Use the phone number. C. Use the computer name. D. Use the e-mail address.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
178
Chapter 3
■
Basic ISA Configuration
4. You’ve set up a web publishing rule that will allow all incoming
HTTP requests to be forwarded to an internal web server. You’re getting complaints from external users that they cannot hit the website. Upon reviewing the ISA Management console, you find the following information, as shown in the Published Web Servers list and the Available Packet Filters list in the exhibit. What might be the problem?
A. There is a bad IP packet filter. B. The web publishing rule is disabled. C. The web publishing Deny rule supersedes the HTTP Allow rule. D. You need to create a routing rule to bridge the external NIC to
HTTP. 5. You’ve been called in as a consultant to help with the final deploy-
ment of an ISA Server. The administrator has the server up and running, but users are complaining that services aren’t working. You look at the server and see the screens shown in the exhibit: Available Site And Content Rules, Available Protocol Rules, and Available Packet Filters. Given the current settings, what are internal users capable of doing across the ISA Server?
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 179
A. Receive and send Internet e-mail, ping, DNS lookup, DHCP,
HTTP, FTP, and HTTPS. B. Receive and send Internet e-mail, ping, DNS lookup, DHCP,
HTTP, and HTTPS. C. Receive and send Internet e-mail, ping, DNS lookup, and DHCP. D. Receive and send Internet e-mail and ping. 6. You’ve been requested to publish a server application on your ISA
Server. The application uses TCP port 14783 and UDP port 14784. How would you go about publishing this application?
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
180
Chapter 3
■
Basic ISA Configuration
A. Build protocol definitions, protocol rules, and a client set for the
new application and publish them. B. Build protocol definitions, protocol rules, a client set, and IP
packet filters for the new application and publish them. C. Build protocol definitions, protocol rules, and a destination set
for the new application and publish them. D. Build protocol definitions, protocol rules, a destination set, and
IP packet filters for the new application and publish them. 7. You’re setting up an e-commerce web server. Because the new web
server will be dealing with clients’ credit card numbers, you’d like to use as much security as possible. The design goal is to publish this server from the internal network in order to avoid having to set up a DMZ. You want the connection secure from the external client clear through to the web server. What are the steps that you’d take to accomplish this goal? A. Run the Web Publishing Rule Wizard to publish the website.
HTTPS connections are automatically handled. B. Run the Web Publishing Rule Wizard to publish the website. Edit
the rule when finished to enable bridging. C. Set up two websites, one for HTTP and one for HTTPS. Set up
the web publishing rule to re-route incoming HTTP requests to the HTTPS site. D. Create IP packet filters for both HTTP port 80 and HTTPS port
443. Set up a routing rule to route incoming HTTP requests to the new website. 8. You’re getting ready to publish a website on an ISA Server that also
currently publishes autoconfiguration information. What are the necessary steps to accomplish your website publishing? A. Change the port that IIS listens on, and change the Incoming
Web Requests Listener to listen for HTTPS on the same port. B. Change the port that IIS listens on, and change the Incoming
Web Requests Listener to listen for HTTPS on port 14443.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 181
C. Change the port that IIS listens on, and change the Incoming
Web Requests Listener to listen for HTTP on the same port. D. Change the port that IIS listens on, and change the Incoming
Web Requests Listener to listen for HTTP on port 14443. 9. Suppose that you want to set up your ISA Server so that you utilize
secure web publishing through certificates. You’ve already installed a certificate you created on your web server for your ISA Server to use. You’re not concerned about the traffic flow from the ISA Server to your web server, only external web requests. What steps would you take to handle this situation? A. Run the Web Publishing Rule Wizard. B. Update IIS to listen to the internal interface of your ISA Server,
and run the Web Publishing Rule Wizard. C. Update IIS to listen to the external interface of your ISA Server,
and run the Web Publishing Rule Wizard. D. Update IIS to listen to the internal interface of your ISA Server. 10. You have a domain that you’d like to use an internal web server
to publish through ISA Server on the Internet: horseshoes.com. There are several variations on the horsehoes.com name that you’d like to have your web server answer to: ferrier.horseshoes.com, game.horseshoes.com, www.horseshoes.com, and ftp.horseshoes .com. What things must you do before you can publish the website? This question has two answers as its complete answer set. Select two answers. A. Attach four separate IP addresses to the external interface of
your ISA Server. B. Have your ISP create one A record and three CNAME records
on its DNS server. C. Create a client set called horseshoes.com that includes the four
prefixes in the description. D. Create a destination set called horseshoes.com that includes the
four prefixes in the description.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
182
Chapter 3
■
Basic ISA Configuration
11. You have a need to publish two separate web servers as secure sites.
What are the steps that you’ll take in order to accomplish this goal? A. Set up a certificate on the external interface of the ISA Server.
Edit the Add/Edit Listeners interface of the Incoming Web Requests section of your ISA Server’s Properties sheet so that each website listens on a different port. Update IIS to listen on the server’s internal interface for each of the ports. B. Set up two certificates on the external interface of the ISA Server.
Edit the Add/Edit Listeners interface of the Incoming Web Requests section of your ISA Server’s Properties sheet so that each website listens on a different port. Update IIS to listen on the server’s internal interface for each of the ports. C. Apply two IP addresses to the external interface of your ISA
Server. Set up two certificates on the external interface of the ISA Server, one per IP address. Edit the Add/Edit Listeners interface of the Incoming Web Requests section of your ISA Server’s Properties sheet so that each website listens on a different port. Update IIS to listen on the server’s internal interface for each of the ports. D. Apply two IP addresses to the external interface of your ISA
Server. Set up two certificates on the external interface of the ISA Server, one per IP address. Add an additional web listener using the Add/Edit Listeners interface of the Incoming Web Requests section of your ISA Server’s Properties sheet so that each website listens on a different IP address and uses a certificate. Update IIS to listen on the server’s internal interface for each of the ports. 12. You’re publishing an internal IIS 4.0 website onto the Internet using
ISA Server. You’ve created a certificate on the website and have copied it to the ISA Server and installed it on its external interface. You’ve set up the Web Publishing Wizard so that external clients utilize an SSL connection with certificate for this website. Now you want to set up the connectivity between the ISA Server and the web server so that it, too, utilizes a secure connection. Which of the following can you utilize without setting up any more certificates? A. Use HTTP to SSL bridging. B. Set up a destination set that uses HTTPS. C. Set up a client set that uses HTTPS. E. Use IPSec. Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 183
13. You are planning a large multisite gatekeeper installation. Which
methods can you utilize to set up interconnectivity between all of the gatekeepers? (Choose all that apply.) A. IPSec policies B. Remote access policies C. Multicast group D. ISA routing rules 14. You’re working with an H.323 Gatekeeper installation on your ISA
Server. You set up separate static entries so that two external users can access the gatekeeper in order to collaborate with internal clients. After setup, one client appeared to have no difficulty connecting and working with the internal users, while the other was able to connect only once or twice and has not been able to connect since then. Both client settings appear identical. What could be the problem? A. The client software is set to use an ILS. B. The client is set to use DHCP. C. There’s no Q931 record in a public DNS server for this client. D. The static entry for this client isn’t correct. 15. Which of the following are true statements regarding NetMeeting
clients that utilize an ISA H.323 Gatekeeper? (Choose all that apply.) A. External clients can utilize an ILS and internal clients can still
communicate with them. B. Internal clients can utilize both an ILS and the gatekeeper. C. Internal clients can communicate with other internal clients by
phone, e-mail, or IP address. E. External clients must have a static entry in the registration
database. 16. You are having a problem configuring dial-up connections on your
ISA Server. While configuring the Dial-up Entry window in the Dialup Entries node of the ISA Management console, you click the Select
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
184
Chapter 3
■
Basic ISA Configuration
button to access a dial-up connection and receive the error shown in the exhibit. What could be the problem?
A. You’ve not yet configured a firewall chaining rule between your
array members. B. There are no dial-up connections configured. C. The Firewall service is stopped. D. The RRAS Server service is stopped. 17. You’re trying to publish an unusual application that uses UDP and
TCP 23,350. You’ve created the appropriate rules and have run the Server Publishing Wizard, but you still find that you cannot connect to the application. What might be wrong? (Choose all that apply.) A. The SecureNAT client is not appropriate for this app. B. Another application might be using the port. C. You’re not in the destination set for this rule. D. Server publishing won’t work with UDP. E. The application might be redirecting requests to a different port
on a different server.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 185
18. You have two ISA Servers in an array, each of which should be able
to use a different phone number for a dial-up connection. How do you go about configuring the servers for this? A. Configure one server for the dial-up and the second with a
firewall chaining rule. B. Configure two Network And Dial-up Connections dial-up entries
with the same name but different phone numbers. C. Configure a routing rule on one array member that points to the
dial-up entry on the second server. D. Configure two ISA dial-up entries with the same name but
different phone numbers. 19. What does the Q931 DNS SRV record facilitate? A. The ability of ISA servers in different subnets to connect to one
another B. The ability of internal NetMeeting ILS clients to contact internal
H.323 Gatekeeper clients C. The ability of internal clients with common DNS name-
resolution capabilities to reach each other by telephone or e-mail address D. The ability of external ILS servers to communicate with H.323
Gatekeeper servers 20. You have recently set up an ISA Server and now wish to publish
an internal website to the Internet. You’ve run through the Web Publishing Wizard, and everything seems to be set up correctly, but external users complain that they can’t hit your site. They get a “Destination host not found” error. What could be the problem? A. The ISA Server has an IP packet filter that’s denying incoming
HTTP port 80. B. You’ve not yet updated your ISP’s DNS entries with the address
of your ISA Server. C. External clients need to point to the ISA Server as their default
gateway. D. IIS is listening on port 80 of the ISA Server’s external interface.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
186
Chapter 3
■
Basic ISA Configuration
Answers to Review Questions 1. A, C. You must provide an enterprise site and content rule that
delimits which sites users can go to. Without such a rule, no one can get out the door. You also need to set up IP packet filters that allow for the outbound protocols you intend to permit. 2. B. External clients can indeed access the H.323 Gatekeeper,
but there are two things to consider when working with internal/external client connections. The first is how you get external users talking to internal users. You can do this by getting external clients registered in the registration database—which you can accomplish manually. Optionally, internal users can simply call external users by phone. Thus, item C isn’t necessary, although it would be nice to have. Second, the external users must edit their NetMeeting software in the Advanced Calling option and select Use A Gateway To Call Telephones And Videoconferencing Systems and then key in the FQDN of the external interface of your H.323 gateway. If the H.323 filter is disabled, internal clients can’t get out. 3. B. Chances are good, since the clients are so far apart, that their
phone prefix is different from Campus A to Campus B. If so, then it’s easy to set up a phone routing rule that would simply use each campus’s phone prefix. If users in Campus A wanted to set up meetings with only other users in Campus A, all they’d have to do would be to use the client’s phone number and the system would route them there. An almost-as-easy alternative is the e-mail address, but for ease of typing and lack of confusion, the phone number may be a better choice in this instance. 4. A. The IP packet filter HTTP block is blocking all incoming port 80
traffic, even though your web publishing rule is allowing it in. The IP packet filter will take precedence and block all incoming HTTP port 80 traffic. 5. D. SMTP is configured for all users at all times and allows users to
receive and send Internet e-mail. The ICMP packet filter is enabled, thus allowing internal users to ping hosts on the Internet. There is
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 187
no site and content rule, nor are there HTTP, FTP, or HTTPS rules that allow internal users to utilize the Web. The DHCP packet filter is disabled. 6. C. You’ll need a new protocol definition and protocol rule for this
application, along with a destination set. Once you have all that, you’re ready to publish them. Remember that server publishing dynamically opens the necessary ports for you, so you don’t need an IP packet filter and may cause trouble for yourself if you introduce one. 7. B. Perhaps the easiest way to accomplish what you want to do is to
publish the site and then bridge it to HTTPS (assuming the site is already equipped to handle HTTPS requests). This way, even though the user hits the site via HTTP, requests are handled through HTTPS. 8. C. Because IIS and ISA both want to listen on the ISA Server’s
external interface port 80, you have to adjust IIS to listen to the server’s internal interface. However, this scenario doesn’t work because the question says you’re publishing autoconfiguration information, and autoconfiguration is utilizing port 80 on the internal interface. So you first modify IIS to listen to a different port, and then you change the Incoming Web Requests Listener to listen on that same port for HTTP. 9. B. IIS needs to be listening to the internal interface of the ISA Server
(because it will be sending and receiving requests from an internal web server). Then you run the Web Publishing Rule Wizard. 10. B, D. Recall that in order for Internet users to be able to hit your
website, they must be able to resolve an Fully Qualified Domain Name (FQDN), and to do that they must be able to hit a DNS server that’s authoritative for your domain name and prefixes. The first DNS entry should be an Address (A) record (or Host record, as Microsoft labels it); the others can be either A or CNAME records that all point to the external interface of your ISA Server. You’ll also create a destination set that has as its name horsehoes.com and the
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
188
Chapter 3
■
Basic ISA Configuration
four prefixes you intend to use in the description for the destination set. Then you’re ready to run the Web Publishing Wizard. 11. D. Recall that you’re allowed only a single certificate per web
listener. Therefore, if you have multiple secure sites, you can either choose to bind multiple IP addresses to the same external interface or, optionally, add other external interfaces. Then, you have to create additional listeners and use one certificate per listener. Finally, you make IIS listen to the internal interface of the ISA Server to get it out of the way of the external interface. 12. A. By utilizing HTTP to SSL bridging, you can handle the secure
connection between your ISA and web servers without too much fuss. You can’t use IPSec because your website is on a Windows NT 4.0 computer and can’t utilize IPSec policies. 13. C, D. When you have gatekeepers that need to forward information
to one another, you can opt to set up routing rules, which could get cumbersome if there were very many gatekeepers in the array. Optionally, you could set them up in the 224.0.1.41 multicast group and then denote their destinations as such when running the New Destination Wizard in your gatekeeper setup. 14. B. The client is evidently accessing the ISP and obtaining a DHCP
address. The address has changed since the last gatekeeper session and now does not match the static entry. 15. A, C, D. It is possible for an internal client to go through a gatekeeper
and access an external client via an ILS—in fact, this may be the preferred method, as long as the communication is internal to external. Otherwise, it’s preferable for the external client to have a static entry in the ISA registration database and to point directly to the gatekeeper through its software configuration. Internal clients can communicate with other internal clients by any of the above three methods. 16. B. You’ve not yet configured any dial-up connections. The RRAS
Server service can be stopped, and if there are dial-up connections in the Network And Dial-up Connections window, you’ll still be able
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 189
to configure your dial-up rule. It won’t work until you start the service, however. 17. A, B, E. Most likely you’re having problems with the SecureNAT client. Try using the Firewall client with a wspcfg.ini to see if it
fixes the problem. It could be that the application is using another port. Applications sometimes redirect a request to a different port on a different server, in which case you’d have to edit the rule and account for that fact. You cannot use destination sets in server publishing rules. 18. B. Each member of the array must be set to use the same dial-up
networking (DUN) connectoid name. But just because the name must be the same, that doesn’t mean the number needs to be the same. Simply create a DUN connectoid with the same name as its array member partner but with a different number. The ISA dial-up entries will reference the connectoid for that server. 19. C. The Q931 resource record allows for gatekeeper-to-gatekeeper
connectivity (as long as the two hosts can reach each other by DNS name resolution) and provides for the ability of NetMeeting clients to access one another by phone number or e-mail address. 20. B. The most likely cause of this problem is a name-resolution error.
You’ve simply not yet updated your external DNS with an entry for the ISA Server’s external interface.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
4
ISA Server and RRAS Integration MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ✓ Configure and troubleshoot Virtual Private Network (VPN) access. ■
Configure the ISA Server computer as a VPN endpoint without using the VPN Wizard.
■
Configure the ISA Server computer for VPN pass-through.
✓ Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections. ■
Set up and verify routing rules for static IP routes in Routing and Remote Access.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
N
ow that we’ve completed an installation of ISA Server and have the basics of how to configure it, we need to take a look at how ISA Server behaves in an enterprise environment. What’s an enterprise environment, you ask? An enterprise is usually considered a large network environment that has a good number of servers and clients and quite possibly a few remote locations. You’ll find that knowing how to configure ISA Server alone is not enough in this arena; you also need to know the intimate details of how the Windows 2000 Server/Advanced Server operating system works, especially Routing and Remote Access Service (RRAS). You’ll find RRAS running in nearly every enterprise environment that is using Windows 2000 as its core network operating system. This section mainly covers configuration and best practices for using ISA Server, primarily in firewall mode. In fact, this section primarily deals with Windows 2000, so if you’re already a guru, you may want to use the following information as a refresher. The first thing we need to do is delve into Windows 2000 and get a firm grasp of RRAS and IP routing. From there, we’ll round out the edges by setting up demand-dial routing to work with ISA Server to allow all types of outbound access from the network. Finally, we’ll move on to configuring a virtual private network (VPN) in Windows 2000 and show how to integrate it with our ISA Server. So sit back, relax, settle down in your favorite chair, and let’s begin.
This chapter deals only with the configuring and setting up portions of the objectives. The troubleshooting portions are covered in Chapter 8, “Troubleshooting ISA Server.”
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to Routing and Remote Access Service 193
Introduction to Routing and Remote Access Service
O
ne of the greatest features offered in Windows 2000 is Routing and Remote Access Service. RRAS is truly a “one-stop shop” for a reasonable portion of the networking services offered by Windows 2000. You can use RRAS for many different functions, including the following: ■
Providing a dial-in server for users
■
Providing a distance-vector router
■
Providing a link-state router
■
Providing a demand-dial router
■
Providing Network Address Translation (NAT) for Internet clients
■
Providing a virtual private network for Internet clients
■
Acting as a client to Remote Access Dial-In User Service (RADIUS) servers
Although the nitty-gritty details of installing and configuring these services are beyond the scope of this book, you need to have a rudimentary understanding of how RRAS fits into the “big picture” before you can configure ISA Server for an enterprise environment.
The History of RRAS Most people think that Windows 2000 marked the first appearance of RRAS; however, it was in Windows NT Server 4.0 that RRAS made its debut in the world of network operating systems. Back then, RRAS was known by its codename, “Steelhead.” In its first incarnation, RRAS was an add-on to Windows NT 4.0. Nowadays, RRAS is the de facto standard upon which all remote-access and routing features are managed through Windows 2000. RRAS didn’t have all the bells and whistles back then that it does now, either. For example, although it did support both the Routing Information Protocol (RIP) and Open
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
194
Chapter 4
■
ISA Server and RRAS Integration
Shortest Path First (OSPF), it did not support such advanced security protocols as Internet Protocol Security (IPSec). RRAS also supported the ability to act as a RADIUS client only. With the advent of bigger and better operating systems, Windows 2000 can act as either a RADIUS client or server.
RRAS is a must-have service for Windows 2000 Server administrators and users. As we mentioned, RRAS acts as a dial-in server, a VPN server, a NAT server, as well as a demand-dial server. You manage it through the Microsoft Management Console (MMC) for RRAS. The MMC snap-in is shown in Figure 4.1.
FIGURE 4.1
The RRAS snap-in for the Microsoft Management Console
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to Routing and Remote Access Service 195
The first thing that you must do if this is a fresh installation of Windows 2000 is to enable RRAS. If you don’t, and you don’t make the initial configuration, then you won’t get very far! During the initial setup phase, you must choose what role you want your RRAS server to play. Don’t worry, because your server can act in one or more roles, but initially you’ll configure just one of them with the wizard. Later on, you can configure others manually.
RRAS As a Dial-in Server It’s probably safe to say that the most common use for an RRAS server is to provide dial-in access to clients of a corporate LAN. RRAS does this admirably, increasing the base of services that Windows NT 4.0 provides. RRAS is also quite easy to configure to support dial-in clients. All that you have to do is ensure that your modem is installed before you run the Routing and Remote Access Server Setup Wizard, then select Dial-In Server in the wizard, and you’re set!
It’s worth mentioning a few things about Windows 2000 before you actually install a dial-in server. First of all, you must make certain that your hardware is on the Hardware Compatibility List for Windows 2000. Don’t assume that any old hardware will work here. I know from very painful experience that this is not always the case. Second, if you have NT 4.0 RAS clients in your network and you’re using Windows 2000 Active Directory, then you need to make sure that you’ve relaxed the permissions of Active Directory to ensure that there are no problems. In case you’ve forgotten or don’t know, you perform that task in the Active Directory Installation Wizard (DCPROMO.EXE).
Once you’ve finished running the Setup Wizard, you should have a screen that resembles Figure 4.2. Any time you want to see which devices are available for use by RRAS, click Ports in the Details pane on the left, and all available modems will be listed. Note that your VPN ports will also be listed here if you installed and configured your RRAS server to be a VPN server as well.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
196
Chapter 4
■
ISA Server and RRAS Integration
FIGURE 4.2
The RRAS MMC after initial configuration
You can also view the configuration of any port by right-clicking Ports in the Details pane of the MMC and then choosing Properties from the shortcut menu that appears. You can double-click any listed port to bring up the Port Status window, as shown in Figure 4.3. Note that you can enable or disable any port as well as set the phone number or specify a maximum connection limit for those devices that support the ports.
If you configure RRAS as a dial-in server and use DHCP to allocate IP addresses to clients, make sure you configure the RRAS server as a DHCP relay agent, or you could be in trouble!
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to Routing and Remote Access Service 197
FIGURE 4.3
The Port Status window
RRAS As a VPN Server Although NT 4.0 could be a VPN server with RRAS, it was certainly difficult to configure. Not only that, the only protocol supported was the Point-to-Point Tunneling Protocol (PPTP). Windows 2000 makes virtual private networking a whole lot easier to install and configure. To use RRAS as a VPN, all you have to do is select Virtual Private Network Server from the Setup Wizard. You can see the status of VPN ports by choosing Ports in the MMC, as shown in Figure 4.4.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
198
Chapter 4
■
ISA Server and RRAS Integration
VPN technology, as you might imagine, is fairly complicated and in the NT/2000 world requires a thorough understanding not only of the communications technology that supports a VPN circuit, but also of the underlying protocol mesh that’s been designed to allow for VPN connectivity. There are some items to consider when setting this up. First, you have to choose a protocol. The two available are PPTP over Microsoft Point to Point Encryption (MPPE) and L2TP (Layer Two Tunneling Protocol) over IPSec. PPTP is more primitive and should be used only when down-level clients are concerned. L2TP is more sophisticated, supports mutual authentication, and is designed for communication between Windows 2000 machines. MPPE and IPSec are protocols used to encrypt the VPN connections. Figure 4.4 shows the VPN configuration status in the MMC. We’ll learn more about the details of configuration later and how it fits into the big picture. FIGURE 4.4
VPN port configuration in the RRAS MMC
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to Routing and Remote Access Service 199
RRAS As a NAT Server A feature that is completely new to Windows 2000 and RRAS is the ability to serve as a Network Address Translation (NAT) server. NAT allows network clients to easily access Internet resources. In fact, you don’t even need ISA Server to enable it—simply configure NAT through RRAS and you’re away to the races. ISA Server doesn’t use NAT or its little brother, Internet Connection Service (ICS), so this is merely informational for you from an ISA perspective. NAT changes the network user’s internal address to an external address, thus allowing internal networks to utilize the reserved IP ranges and to protect the identity of the internal computers. When this function is performed on a client, we say the address has been NAT-ted. See the diagram in Figure 4.5. FIGURE 4.5
A NAT server NAT-ting an internal address
User A 204.23.37.144 External address
Internet User A 169.127.30.44 Internal address
NAT (ISA) server
NAT technology finds its way into two different implementations in Windows 2000: Internet Connection Sharing (ICS), which is used as a rudimentary solution meant for very small networks that have no more than one subnet and few clients, and NAT (cleverly named after the NAT technology), which requires configuration through RRAS. You’d use ICS in a mom-and-pop-type shop where you had to get a handful of users out to the Internet. You’d use NAT in a larger environment, but still not scaled to the point where you had to throw massive router resources at subnets and huge numbers of users.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
200
Chapter 4
■
ISA Server and RRAS Integration
RRAS As a Router Finally, RRAS can serve as a network router. If you’re going to do this in lieu of a hardware router (Cisco, Bay, etc.), we strongly recommend that you invest in some very fast network cards so your performance isn’t hampered. There may be a price/performance break where it’s advisable to check into a good-quality hardware router. For small-to-medium-sized networks, however, RRAS can make a great router! It can serve as a static router, meaning that you manually add routes, or a dynamic router, meaning that the router discovers the networks for you. If you have a smaller network with only a handful of subnets, we’d recommend doing static routing. This is because the routes—under most circumstances, depending on how you input them—never go away and you shouldn’t have to worry about convergence. Convergence simply means that all the routers agree on the contents of the routing tables and that a packet can get from one router to any subnet on the network. RRAS supports two dynamic routing protocols: Routing Information Protocol (RIP) versions 1 and 2 (RIPv2) and Open Shortest Path First (OSPF). Again, you must make a choice here if you want to use dynamic routing. You should probably choose RIP if you have a smaller network and little traffic. That’s because RIP uses broadcasts to achieve convergence. On the other hand, OSPF uses a complicated system that is based on direct connections to a few routers in its local vicinity. A detailed discussion of OSPF is beyond the scope of this book, but just remember that you should use it when you have a large number of subnets and routers. At that point, RIP becomes impractical because of the number of broadcasts involved and the amount of time it takes for the routers to converge.
Introduction to IP Routing Now that we’ve discussed just what RRAS does for us, we need to know exactly how IP routing works. Of course, this is because we’re going to be connecting to the Internet as well as our internal network. Most of you should be familiar with IP routing, so let’s talk about how it works with Windows 2000. The very first thing that you need to be familiar with is the Windows 2000 routing table. There are a couple of ways to see it. The first way is through the RRAS console (see Figure 4.6), and the second is through the ROUTE.EXE command-line utility (See Figure 4.7).
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to Routing and Remote Access Service 201
FIGURE 4.6
Routing tables in the MMC
FIGURE 4.7
Routing tables at the command line
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
202
Chapter 4
■
ISA Server and RRAS Integration
The most important function from our standpoint is to be able to manage routing tables via the ROUTE.EXE command. Table 4.1 lists the commands that can be used with ROUTE.EXE. You use this command from a command prompt when you’re trying to ascertain a system’s routing table. Suffix the ROUTE command with optional qualifiers and you get varying output of what the system’s route table contains.
Note that if you key in the static routes yourself using the Route Add command, be sure to suffix the command with a –p (persistent) switch to make the route permanent. Also note that if you manually key a route into the routing table, it will not show up in ISA Server’s Static Routes section.
TA B L E 4 . 1
ROUTE.EXE commands Qualifier
Description
ROUTE PRINT ROUTE ADD route MASK mask gateway ROUTE DELETE route
Prints the contents of the routing table
ROUTE CHANGE
Adds a route to the routing table with the specified subnet mask and default gateway Deletes the specified route from the routing table Changes the specified route in the routing table
RRAS As a Demand-Dial Router Now that we’ve covered the basics of routing, we can move one step closer to using ISA Server by discussing what demand-dial routing is and how to configure it on the RRAS server. Demand-dial routing is the process of routing packets over a non-persistent connection, such as a phone line, ISDN line, or other non-LAN-based wire. Demand-dial routing has its good points as well as its bad points. It is excellent because of its relative ease of installation and configuration as well as the fact that you don’t have to spend thousands of dollars on hardware routers.
Configuring RRAS for Demand-Dial Routing Since demand-dial routing is pretty easy to get running with Windows 2000 and RRAS, let’s take a look at it.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to Routing and Remote Access Service 203
Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections. ■
Set up and verify routing rules for static IP routes in Routing and Remote Access.
You enable demand-dial routing as follows: 1. From the Start Menu, select Programs ➣ Administrative Tools ➣
Routing and Remote Access. 2. From the Routing And Remote Access console, choose Routing
Interfaces, as shown in Figure 4.8. FIGURE 4.8
The Routing Interfaces section of the RRAS console
3. Right-click Routing Interfaces and select New Demand Dial
Interface. 4. The Demand Dial Interface Wizard starts, as shown in Figure 4.9.
Click Next to continue.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
204
Chapter 4
■
ISA Server and RRAS Integration
FIGURE 4.9
The Demand Dial Interface Wizard start screen
5. Specify a name for the remote route, making it something intuitive
and memorable. Once you have done so, click Next. 6. Select the type of connection you require. If you are going to use a
modem or ISDN terminal adapter, select Connect Using A Modem, ISDN Adapter, Or Other Physical Device. If you’re going to use a VPN connection, select that option. When you have completed this, click Next. 7. Choose the device you will use to make your connection, and then
click Next. 8. Select the appropriate security options on the Protocols And
Security page, shown in Figure 4.10. Make sure you select all appropriate options. For example, if you have Novell servers prior to version 5.0, you may need to route IPX packets. Also, if you are in a different domain from the destination RRAS server, you may need to create a local account to allow the remote router to authenticate so it can route packets back to you. Click Next to return to the Dial Out Credentials page of the wizard.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to Routing and Remote Access Service 205
The Add A User Account So A Remote Router Can Dial In option does not set up credentials for you to access the remote site. Either you or the administrator at the remote site needs to create an account so the remote router can be accessed. This is especially important if your routers are in different domains.
FIGURE 4.10
The Protocols And Security tab of the Demand Dial Interface Wizard
9. Enter the credentials required to access the remote router. Make
certain you enter the appropriate domain name and password for the account, and then click Next. 10. The final screen shows completion of the wizard. Click Finish to
apply your changes and create your demand-dial route. 11. The Routing And Remote Access console now shows the demand-
dial route added to the Routing Interfaces section, as shown in Figure 4.11.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
206
Chapter 4
■
ISA Server and RRAS Integration
FIGURE 4.11
The Routing And Remote Access console with the completed demand-dial route
Once you’ve completed the configuration of the demand-dial route, there are a few additional configuration changes that you may want to make. First of all, you might want to limit the times at which the connection can be used. Let’s say, for instance, that the route you just created requires a long-distance call over a 56KB dial-up connection and that the only time that communication would need to take place between these two sites is at night. You would want to ensure that connections to that site are made only at night so that your company doesn’t incur a tremendous amount of long-distance charges. These types of requirements are critical to identify at the beginning. The bright side to this is that setting availability times is actually extremely easy. Just follow these steps: 1. Navigate to the Routing Interfaces window of the Routing And
Remote Access console. 2. Right-click the demand-dial route you just created and select Dial-
out Hours from the menu, as shown in Figure 4.12.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to Routing and Remote Access Service 207
FIGURE 4.12
The Dial-out Hours menu option
3. The Dial-out Hours window is displayed, as shown in Figure 4.13. FIGURE 4.13
The Dial-out Hours window
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
208
Chapter 4
■
ISA Server and RRAS Integration
4. As you can see, the route is always available by default. To change
this, simply highlight the hours that you want to be unavailable. Anything displayed in white is unavailable, while anything displayed in blue is available for use. You may also want to configure a few other things in the RRAS console, such as the amount of time a demand-dial connection can remain inactive before it disconnects or the security settings. This is also very easy to do: 1. From the Routing Interfaces window, select the route you created,
right-click it, and choose Properties. 2. Select the Options tab, as pictured in Figure 4.14. FIGURE 4.14
The Options tab of the demand-dial interface’s Properties page
3. From here, you can set whether or not you want the connection to
be persistent (which essentially makes it a static route) or at what interval of inactivity you want the interface to disconnect. You can also set the number of redial attempts that will be made in case the connection to the remote router fails and the interval at which redial attempts will be made. In addition, you can set options for multilink here, which allows you to use multiple devices to dial in and combine the bandwidth of the modems or devices.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Introduction to Routing and Remote Access Service 209
You can also configure packet-filtering rules through the RRAS console. We’re not going to do this, however, because you should use ISA Server for this purpose. We’ll take a look at that a bit later.
I’d strongly recommend against configuring packet filtering at the route level in RRAS if you’re going to be using ISA Server. Not only is it confusing, but it can also cause problems if you attempt to do packet filtering in more than one place.
Setting Up Static IP Routes You may run into a situation where you have an RRAS server that needs to send connection requests to a different route on the network. You can enter the address of the router with which to connect by setting up what is called a static route, which is really nothing more than a GUI tool that enters the route into the server’s routing table instead of you having to use a command-line command to do the same thing. In the Routing And Remote Access MMC, navigate down to IP Routing and then to the Static Routes node. Right-click the node and select New Static Route to bring up the new Static Route window shown in Figure 4.15. FIGURE 4.15
The Static Route dialog box
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
210
Chapter 4
■
ISA Server and RRAS Integration
To key in a static route, simply select the interface from the dropdown menu, key in the destination IP address, subnet mask, and gateway, and select a metric; then click OK. The new static route will show up in the Details pane of the Static Routes node. To assure yourself that the correct information appears in the server’s routing table, right-click the Static Routes node again, and this time select Show IP Routing Table. The IP Routing Table window will appear, as shown in Figure 4.16. FIGURE 4.16
The IP Routing Table as rendered by ISA Server
Virtual Private Networking
E
arlier, we briefly mentioned that RRAS could act as a VPN server on Windows 2000, with a promise that we’d talk about it later. Well, later has arrived, so let’s chat! If you’ve never been exposed to the wonderful world of virtual private networking, I’m sure your first question is, “What is a VPN anyway?” The answer to that is easy. Once the VPN server is configured, clients that have the appropriate Dial-Up Networking (DUN) client software installed (which is included with Windows 98, NT, and 2000) can dial up to the Internet, execute the VPN client software, and have an encrypted communication line with their company’s internal servers.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Virtual Private Networking
211
The great thing about a VPN is that you can connect from any Internet connection in the world and not have to worry about compromising your company’s confidential data. You’re probably wondering how this is all possible. After all, you can connect from virtually anywhere and have a secure connection. This is made possible through encryption. Before we go any further, let’s take a look at exactly what’s going on between the client and the VPN server to make this work.
Encryption Basics Although there are many different kinds of encryption that are far beyond the scope of this book, as the concepts and mathematics can become very difficult, it is important to get a basic idea as to how Windows 2000 and RRAS encrypt data in a VPN. First of all, Windows 2000 primarily uses a type of encryption called public key/private key cryptography. Public key/private key cryptography uses exactly what you might imagine—a public key and a private key. A public key is available throughout the network to anyone who requests it, but a private key is available only to the client to whom it belongs. A public key is made available to clients through a certificate, which is issued by a Certificate Authority (CA). A Certificate Authority can be a public company such as Verisign, or it can be a private certificate server that is installed on a Windows 2000 Server and is used only by your company and its clients.
We strongly recommend for ease of computer and web browser configuration that you obtain a certificate from a reputable third-party organization if you intend to allow paying clients of your company to access secure data on your network.
Within the certificate is a server or client’s public key. Whenever a client requests it, a server must send its certificate so that the client can extract the public key. Also, the client can verify the authenticity of the certificate by going to the CA that issued it and verifying the information.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
212
Chapter 4
■
ISA Server and RRAS Integration
Now that we have the basic terminology down, let’s put a practical spin on this. For instance, let’s say that you have a client that is connecting to a VPN server. This is what happens to negotiate the connection: 1. The client connects to the VPN server and requests the server’s
certificate. 2. The client validates the certificate and reads the server’s public key. 3. The client generates a random key and encrypts it with the server’s
public key. This ensures that only the server can decrypt it.
If this is a little confusing, imagine the public key and private key as two distinct parts of a secret decoder ring. You might be able to encrypt a message with half of it, but unless you have the other half of the ring, you won’t be able to understand the message.
4. The client then sends the encrypted random key across the network
to the server. 5. The server receives the encrypted random key and decrypts it by
using its private key (the other half of the secret decoder ring). 6. Now that both the client and the server have the random key, they
use that key to communicate securely for the entire session. In other words, the previous steps are used just to generate a special key that the client and server can use for one session only. Should the connection be lost or the session ended, the entire process would have to be repeated.
The above explanation is not necessarily what happens in every case. The actual steps required may vary depending on the protocol that is used by the VPN server and the client. For example, some protocols require mutual authentication. That means that the client would have to send its certificate back to the server for authentication.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Virtual Private Networking
213
Configuring a VPN with RRAS Now that you have a basic grasp of the encryption technologies associated with a VPN, we’ll show you how to use RRAS to set up a VPN server. For right now, let’s review using the Routing And Remote Access Server Setup Wizard to install a VPN server. In Exercise 4.1, you will install RRAS as a VPN server. EXERCISE 4.1
Installing RRAS As a VPN Server This exercise sets up the RRAS server as a VPN server ready to accept telecommuting VPN clients such as those with DSL or cable modem service. There is also a way to set up two servers with a VPN connection to each other so that the two have a secure (and, with any luck, highspeed) Internet connection with each other, thus saving you money on expensive WAN circuits. You’ll need to know how to do both kinds of VPN setups when considering ISA design configurations. Now let’s set up the RRAS server as a VPN server:
1. Ensure that you are logged on to your Windows 2000 Server as Administrator.
2. Go to Start ➢ Programs ➢ Administrative Tools ➢ Routing And Remote Access.
3. If you’ve already installed and configured RRAS, right-click your server’s name and select Disable Routing And Remote Access. Answer Yes to the question about whether to continue. Wait for the service to stop, and then continue with the next step. If you have not installed and configured RRAS, skip this step and move on to the next step.
4. Right-click your server’s name and select Configure And Enable Routing And Remote Access.
5. Click Next to pass through the introductory screen. 6. Select Virtual Private Network (VPN) Server, as shown in the graphic below. Click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
214
Chapter 4
■
ISA Server and RRAS Integration
EXERCISE 4.1 (continued)
7. Ensure that TCP/IP is in your list of protocols and then click Next. 8. Select the appropriate network connection to the Internet and then click Next.
9. Select whether you want to use DHCP to allocate IP addresses or a static pool and then click Next.
10. Click No on the next page to ensure that you do not configure a RADIUS server.
11. Click Finish on the final page to start the RRAS once again. 12. While in the RRAS MMC, scroll down to the Remote Access Policies node and expand it. Note that a new remote access policy, Allow Access If Dial-in Permission Is Enabled, has been created for you, as shown below.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Virtual Private Networking
215
Now that RRAS has been configured as a VPN server, the rest is pretty easy. The only real maintenance point from here is to configure security if necessary and set the number of ports required. Let’s take a look at how to change the number of ports used for VPN connections in the RRAS console: 1. Open the RRAS console. 2. Choose the Ports section, as shown in Figure 4.17. FIGURE 4.17
The Ports section of the RRAS MMC
3. Right-click the Ports heading and select Properties. The Ports
Properties page appears, as shown in Figure 4.18. You can see that by default 128 ports are configured for PPTP and 128 for L2TP.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
216
Chapter 4
■
ISA Server and RRAS Integration
FIGURE 4.18
The Ports Properties page
4. To increase or decrease the number of ports, select either PPTP or
L2TP, click Configure, and specify the number of ports you require. As we stated before, PPTP is usually used for down-level clients that cannot communicate using IPSec, which is the preferred method for securing data in Windows 2000. If you are running a native Windows 2000 Professional environment, you should eliminate PPTP ports and use L2TP as the VPN protocol, as it offers a greater amount of security because of IPSec’s increased encryption capabilities.
Configuring ISA Server for VPN Access Once you’ve installed a VPN server on Windows 2000, you have to understand how to integrate ISA Server into the picture. There are specialized configuration tasks that are required to ensure that ISA Server
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Virtual Private Networking
217
can accept local and remote connections from other ISA VPN servers as well as clients. Configure and troubleshoot Virtual Private Network (VPN) access. ■
Configure the ISA Server computer as a VPN endpoint without using the VPN Wizard.
■
Configure the ISA Server computer for VPN pass-through.
Configuring ISA Server for VPN Clients The first task we need to perform is to configure ISA Server to accept connections as a VPN server. RRAS alone will not do this when ISA Server is installed. This task is relatively simple and is outlined in Exercise 4.2. Remember that you must have ISA Server installed in either integrated mode or firewall mode to successfully perform this action. EXERCISE 4.2
Configuring ISA Server to Accept VPN Client Connections 1. Ensure that you are logged on to the local computer as a user that has administrative access to ISA Server.
2. Start the ISA Management console by going to Start ➢ Programs ➢ Microsoft ISA Server ➢ ISA Management.
3. Expand the Servers And Arrays tree. 4. Click the Network Configuration icon. Then click Configure A Client Virtual Private Network (VPN) in the window on the right. The ISA VPN Server Wizard starts.
5. Accept all the default settings throughout the wizard. Click Finish on the final screen to complete the wizard.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
218
Chapter 4
■
ISA Server and RRAS Integration
The above configuration is good for a simple network, that is, a network that has a single ISA Server and no remote branch offices. You must take additional steps if there are multiple offices that require a VPN tunnel. A VPN tunnel is a semi-permanent connection that generally exists between two branch offices of a company. This configuration is usually required when sensitive information must be exchanged securely between the branch offices. Also, clients use this type of connection without having to specifically configure a VPN connection. They simply communicate with an RRAS server that acts as a router, encrypts the data, and sends it through the tunnel. It is important to understand what the wizard does behind the scenes to allow the server to accept VPN connections. When ISA Server is first installed in firewall or integrated mode, virtually everything is securely locked down. No ports are open to service Internet clients. The policy is a good one as far as security goes. Simply put, “less is more.” When you run the Configure A Client Virtual Private Network (VPN) Wizard, RRAS is configured to allow authentication and encryption as well as allow the appropriate PPTP or L2TP ports through the firewall for client connectivity. After you run the wizard, the RRAS service will stop and restart, thus allowing clients to connect as needed. Also, this procedure allows a client to connect to an RRAS server that is behind an ISA Server in firewall mode. This is referred to as VPN passthrough. As long as the appropriate ports are open on the firewall, clients can connect to an internal VPN server through an ISA Server.
Configuring ISA Server for VPN Tunnels When ISA Server needs to serve as the endpoint of a VPN tunnel, the configuration process is a little bit different. You need to configure both the local and remote sides of the VPN tunnel. You can do this by running two wizards, the Local VPN Wizard and the Remote VPN Wizard. When run, each wizard completes a section of the overall configuration needed to support a VPN tunnel between two locations. The first part of the configuration is to run the Local VPN Wizard. Exercise 4.3 shows you how to complete this task.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Virtual Private Networking
219
EXERCISE 4.3
Configuring a Local ISA Server As a VPN Tunnel In this exercise, you will configure a local ISA Server as a VPN tunnel. Note that this exercise requires two network interface adapters in the computer you’re working on:
1. Ensure that you are logged on to the local computer as a user with administrative access to ISA Server.
2. Start the ISA Management console by going to Start ➢ Programs ➢ Microsoft ISA Server ➢ ISA Management.
3. Expand the Servers And Arrays tree. Then expand the tree with your server name.
4. Click the Network Configuration icon. Then click Configure A Local Virtual Private Network (VPN) in the right window. The Local ISA VPN Wizard starts.
5. Click Next to bypass the first screen. In the ISA VPN Identification screen, enter names for the local network and remote network, and click Next when finished.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
220
Chapter 4
■
ISA Server and RRAS Integration
EXERCISE 4.3 (continued)
6. Choose the appropriate protocol for your network environment. For environments combining Windows 9x, Me, NT, and 2000, you should select Use L2TP Over IPSec If Available. Otherwise Use PTPP. Click Next to continue.
7. On the Two-Way Communication screen, select the check box if you want both machines to be able to initiate communications. If you check the check box, enter the fully qualified domain name of the remote machine or its IP address. You will also need to enter the domain credentials. This will create a user account for the VPN connection. If you want the account to be local, enter the local name of the machine. If you want the account to be a domain account, enter the name of a domain controller. Click Next when finished.
8. On the Remote Virtual Private Network (VPN) page, select the range of IP addresses that the local server will be permitted to access. Make certain you select all ranges of IP addresses that are necessary, and then click Next.
9. On the Local Virtual Private Network (VPN) page, select the IP address of the local machine that you want clients to be permitted to connect to. Also select the ranges of IP addresses that the clients will be allowed to access. Click Next when finished.
10. On the next page, specify a path in which you want the configuration file to be saved, and enter a name for the file if you prefer something other than LocalNetwork_RemoteNetwork.VPC, where LocalNetwork and RemoteNetwork are the names you assigned in the ISA VPN Identification screen earlier. The default path is My Documents. Also specify a password for the file. The administrator at the remote site will require this password to complete the configuration on that side. Click Next and then click Finish to complete the ISA VPN Wizard. Next, we must add a remote access policy that allows the two servers to communicate with one another through a VPN. We’ll start by creating an Active Directory Users and Computers user group consisting of the accounts that will be used when the two servers
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Virtual Private Networking
221
EXERCISE 4.3 (continued)
connect with each other. Each of these user accounts will have to be enabled for dial-in permission. (Note that we’re not covering the enabling of the users in this exercise, although it’s easy to do.) By creating an Active Directory group that we can populate with dial-inenabled users, we simplify any RRAS administration we need to do. To add the remote access policy, follow these steps:
1. Choose Start ➢ Programs ➢ Administrative Tools ➢ Active Directory Users And Computers. The Active Directory Users And Computers MMC will open to the Users node.
2. Right-click Users and select New ➢ Group. The New Object – Group window appears.
3. In the Group Name field, type something meaningful such as RRAS
Users. The pre-Windows 2000 group name can remain the same. We’ll stick with the defaults of Global and Security Group. Click Next to continue.
4. If you have Exchange 2000 installed, then you’ll be prompted as to whether you want to create an Exchange mailbox. You don’t, so click Next.
5. Click Finish to conclude the creation of the group. 6. Now simply double-click your newly created group to open its Properties sheet. Then choose the Member tab and click the Add button to add your dial-in enabled users to the group list. Next, we’ll configure a routing and remote access policy to accept server-to-server VPNs:
1. Move to the Routing And Remote Access MMC and navigate down to the Remote Access Policies node.
2. Right-click the Remote Access Policies node and select New Remote Access Policy. The Add Remote Access Policy window appears.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
222
Chapter 4
■
ISA Server and RRAS Integration
EXERCISE 4.3 (continued)
3. In the Policy Friendly Name box, type in a meaningful name such as
Local/Remote VPN Server policy, as shown below. Click Next.
4. In the Conditions window, click the Add button. The Select Attribute window appears, as shown below.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Virtual Private Networking
223
EXERCISE 4.3 (continued)
5. Double-click the NAS-Port-Type name to reveal the NAS-Port-Type selection window. Scroll down the available types to select Virtual (VPN) and then click Add. Your selection should look like the one shown below. Click OK to return to the Conditions window.
6. Click Add again to open the Select Attribute window, but this time double-click the Windows-Groups option to open the Groups window.
7. Click Add, and make sure that in the Look In field you’ve selected the correct domain. Then choose the group you created above by double-clicking it or single-clicking it and then clicking the Add button, as shown below.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
224
Chapter 4
■
ISA Server and RRAS Integration
EXERCISE 4.3 (continued)
8. Click OK to return to the Groups window. 9. Click OK to return to the Conditions window. You should now have two conditions in your Local/Remote VPN Server policy, as shown below.
10. Click Next to open the Permissions window. You want Grant, not Deny permissions, so click the Grant Remote Access Permission radio button.
11. Click Edit Profile to put the final touches on the remote access policy, setting the authentication type and encryption strength you desire. Note that the default encryption strength is NO ENCRYPTION. There might be a small security hole here if you don’t bother taking a look at it.
12. Click Finish to conclude the creation of the policy. Finally, note that this group-creation trick will work for standard RRAS users as well. You’ll want two different groups, though: one for your server-to-server VPN connectivity and one for your regular dial-in user population.
Again, even though you’ve run a neat wizard to complete the task for you, it is important to understand exactly what you did here so that you can reproduce the work if need be. First of all, the wizard modifies RRAS
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Virtual Private Networking
225
configuration to create demand-dial interfaces for remote VPN server(s) to connect. Second, it creates the appropriate IP packet filters to allow PPTP, L2TP, or both to come through the firewall. Finally, the wizard creates a VPC file. A VPC file contains the configuration settings that we just applied. This file is password-protected and required by the remote administrator when setting up the second side of the tunnel. If the remote administrator doesn’t have this file, the configuration of the VPN tunnel quickly comes to a screeching halt.
Once you run the wizard, you can use the VPC file virtually unlimited times to configure multiple remote servers.
It is also very important to understand that these wizards simplify life, but you can also complete the configuration by using good old-fashioned elbow grease. Here’s what you’d have to do to manually set up everything appropriately: 1. Configure packet filters on the local machine to allow access to
PPTP ports, L2TP ports, or both to the appropriate remote IP subnets. 2. Configure demand-dial interfaces to allow the remote VPN server to
connect to the local server. 3. Contact the remote administrator to create packet filters on the
remote machine to allow access to PPTP ports, L2TP ports, or both to the appropriate local IP subnets. 4. Configure demand-dial interfaces to allow the local VPN server to
connect to the remote server.
The wizards set up accounts so that the connections have their own credentials for login. You might want to do this as well since it increases security.
The final task to be performed is to run the Remote ISA Server VPN Wizard to complete the tunnel. The steps to complete this are outlined in Exercise 4.4.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
226
Chapter 4
■
ISA Server and RRAS Integration
EXERCISE 4.4
Configuring a Remote ISA Server As a VPN tunnel 1. Ensure that you are logged on to the local computer as a user that has administrative access to ISA Server.
2. Start the ISA Management console by choosing Start ➢ Programs
➢ Microsoft ISA Server ➢ ISA Management. 3. Expand the Servers And Arrays tree. Then expand the tree with your server name.
4. Click the Network Configuration icon. Then click Configure A Remote Virtual Private Network (VPN) in the right-hand window. The Remote ISA VPN Wizard starts.
5. Specify the name of the VPC file in the first dialog box. Specify the password for the file in the second dialog box. Click Next to continue. Finally, click Finish to complete the configuration task.
Now that these tasks are complete, you have successfully configured ISA Server to integrate with the built-in functionality of RRAS provided by Windows 2000. Clients should be able to freely enter whenever necessary.
Summary
I
n this chapter, you learned the essentials of integrating Routing and Remote Access Service with ISA Server. First, we discussed the basics of configuring RRAS in its different modes. Then we took a more detailed look at how RRAS serves as a router and a VPN server. You learned how to configure static routes in RRAS and how to change configuration information for demand-dial routing with RRAS. Next, you learned how to configure ISA Server with RRAS to allow for VPN connectivity. You saw how to direct ISA Server to have clients connect as well as have a persistent VPN tunnel to secure data between physical locations. Finally, you learned about VPC files and the role they play in the configuration of RRAS and ISA Server.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Exam Essentials 227
Key Terms
B
efore you take the exam, be certain you are familiar with the following terms: Point-to-Point Tunneling Protocol (PPTP)
certificate demand-dial routing
virtual private network (VPN)
Internet Protocol Security (IPSec) Layer Two Tunneling Protocol (L2TP) Network Address Translation (NAT)
VPC file VPN pass-through VPN tunnel
port
Exam Essentials Be able to configure and troubleshoot virtual private network (VPN) access. Understand how to use the VPN wizards. Understand how to configure ISA as a VPN endpoint without using the VPN wizards. Understand what an endpoint is in terms of two VPN servers connected to each other and how to live without the ISA VPN wizards to set this up. Be able to configure the ISA Server for VPN pass-through. Understand why you’d use VPN pass-through on a RRAS server behind the firewall. Know how to set up and troubleshoot RRAS dial-up and dial-ondemand connections. Understand how ISA interfaces with RRAS. Understand how to set up and verify routing rules for static routes in RRAS. Be able to configure the appropriate routing rules for static routes.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
228
Chapter 4
■
ISA Server and RRAS Integration
Review Questions 1. You are the administrator of a two-node ISA Server array. Recently,
your U.S.-based company acquired a small manufacturing interest in Germany. This company has a robust connection to the Internet, and you’re thinking that instead of setting up some sort of expensive WAN connection so that this new arm can be part of the enterprise, you’ll set up a VPN connection. You walk the administrator in Germany through the basics of setting up an ISA Server, and now you’re ready to run the Local VPN Wizard. What is the output of running the ISA Local VPN Wizard that the administrator in Germany will use to finish the VPN setup? A. A VPN file B. A VPC file C. A demand-dial route D. There is no output. 2. With Windows 2000 VPN technology, you have your choice of
tunneling protocols. Select the two tunneling protocols from the list below. A. L2TP B. PPTP C. OSPF D. RIP E. IGRP 3. You are the administrator of a two-campus corporation, one of
which is in Vancouver, the other in Winnipeg (see exhibit). The two campuses are currently unconnected, but management has directed you to find an inexpensive way to link the two for purposes of e-mail and document collaboration. Only the Winnipeg site currently has an Internet connection, which runs at 6Mbps. You’ve read about ISA Server’s VPN technologies and think that you can leverage the Local/Remote VPN technology to handle this situation. From the list below, select the appropriate setup methodology.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 229
Winnipeg
Vancouver Internet
A. Procure an Internet connection in the Vancouver site. Install an
ISA Server in the Winnipeg site and a Windows 2000 Server in the Vancouver site. Set up Internet Connection Sharing (ICS) on the Vancouver server to dial the Winnipeg server. B. Procure an Internet connection in the Vancouver site. Install an
ISA Server in the Vancouver and Winnipeg sites. Set up Internet Connection Sharing (ICS) on the Vancouver server to connect to the Winnipeg server. C. Procure an Internet connection in the Vancouver site. Install an
ISA Server in the Vancouver and Winnipeg sites. Run the Local VPN Wizard on the Winnipeg ISA Server and the Remote VPN Wizard on the Vancouver server. D. Procure an Internet connection in the Vancouver site. Install an
ISA Server in the Winnipeg and Vancouver sites. Set up an RRAS WAN connection between the two. 4. You’ve heard about ISA Server’s abilities to run as a VPN host server
for telecommuting clients. You have several users who have DSL or cable modem connections to the Internet and would like to be able to connect to the office from home using VPN technology (see exhibit). What should you do to enable VPN clients to connect to an ISA Server? (Select all that apply.)
Cable modem client DSL client Your site’s ISA Server
Copyright ©2001 SYBEX, Inc., Alameda, CA
Internet
www.sybex.com
230
Chapter 4
■
ISA Server and RRAS Integration
A. Run the Remote VPN Wizard. B. Run the Local VPN Wizard. C. Create a remote access policy. D. Configure the client. E. Configure Internet Connection Sharing. 5. You are the administrator of a network that uses RRAS as a remote
access server. You use DHCP to allocate IP addresses to your clients. After you configure the server, your users complain that they cannot connect to the RRAS server. Some basic troubleshooting reveals that they’re not picking up TCP/IP information from you when they connect. What should you do? A. Configure a DHCP server to reserve the addresses for the RRAS
clients. B. Configure a static address pool for the clients to use. C. Configure a DHCP relay agent on the RRAS server. D. Configure a DHCP relay agent on a second RRAS server. 6. Which is the most secure VPN tunneling protocol? A. IPSec B. L2TP C. PPTP D. MPPE 7. You’re trying to set up a Local/Remote VPN connection between
two ISA Servers. RRAS has been set up and appears to be working properly, but when you run the two VPN wizards and then try to connect, you’re unable to do so. The remote access policy looks okay, as shown in the exhibit below. What could be the problem? (Select all that apply.)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 231
A. You’ve not yet set up user accounts for each of the VPN servers. B. You need a VPN remote access policy. C. You need to stop and restart the RRAS services for the VPNs to
take effect. D. The remote site hasn’t utilized the VPC file. 8. You’ve enabled ISA Server to act as a VPN host for telecommut-
ing users. You’ve tested the VPN connections with your home Windows 2000 Professional PC and things seem to be working okay—you had no problems configuring DUN for a VPN connection nor were you unable to access the private network. But now that you’ve put the system into production, your help desk is being inundated with calls from users who claim they cannot access the network. What could be the problem? A. Your VPN is configured for MPPE. B. Your VPN is configured for MS-CHAP. C. Your VPN is configured for L2TP. D. Your VPN is configured for PPTP. 9. You’re setting up an RRAS server in a remote site (SiteB in exhibit)
that will forward demand-dial requests to an ISA Server in SiteA. In order to accomplish the forwarding of these requests, what do you
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
232
Chapter 4
■
ISA Server and RRAS Integration
need to do? Two of the answers below are correct answers—select two answers. RRAS Server
ISA Server
Remote SiteB
SiteA
A. Use the ISA MMC to set up a static route. B. Use the Route Add –p command to add the static route. C. Use the Route Add command to add the static route. D. Use the RRAS MMC to add the static route. 10. What are the routing protocols supported by Windows 2000 RRAS?
(Select all that apply.) A. RIP v1 B. OSPF C. IGRP D. IGMP E. RIP v2 11. What changes are made when you run the ISA Server VPN Client
Connection Wizard? (Select all that apply.) A. A remote access policy is created that grants access to all clients
with dial-in permissions. B. A set of IP packet filters is created that allows PPTP and L2TP
connections. C. The ISA Server goes through a server-hardening process that
tightens down any loose security processes on the computer. D. The RRAS server is configured as a VPN server. E. Authentication and encryption methods are enforced.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 233
12. You are configuring a VPN tunnel between two Windows 2000
Server machines. Which encryption protocol should you use? A. IPSec over PPTP B. IPSec over L2TP C. MPPE over PPTP D. MPPE over L2TP 13. You are the administrator of a network that uses Windows 2000
Professional clients and ISA Server for Internet access. You are performing the initial configuration of ISA Server and RRAS. Once the installation of ISA is complete, you attempt to ping a client on the Internet from the ISA Server and are successful. When you attempt to do the same thing from a client, your attempt is unsuccessful. What is the most likely solution to the problem? A. Enable IP routing in the ISA MMC. B. Enable IP routing in the RRAS MMC. C. Reinstall the NIC driver for the external adapter on the
ISA Server. D. Reinstall the NIC driver for the internal adapter on the
ISA Server. 14. Which RRAS service allows internal clients to connect to the
Internet? A. VPN B. PPTP C. NAT D. RADIUS
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
234
Chapter 4
■
ISA Server and RRAS Integration
15. Which RRAS service provides accounting services for dial-up
clients? A. VPN B. NAT C. RADIUS D. PPTP 16. Digital certificates are required to be issued for what RRAS
purpose? (Select all that apply.) A. PPTP MPPE connections B. PPTP IPSec connections C. L2TP MPPE connections D. L2TP IPSec connections 17. What is the term used to describe routers whose routing tables are
correct? A. Agreement B. Connection C. Convergence D. Divergence 18. Which programs have to be run to configure ISA Server to maintain
a VPN tunnel connection? (Select all that apply.) A. Local VPN Wizard B. Remote VPN Wizard C. ISA Configuration Wizard D. RRAS MMC
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 235
19. Suppose that you had configured an ISA Server to act as a client
VPN server. Users are complaining that they cannot connect to the VPN server no matter how hard they try. You’ve checked everything: The client configurations look okay, and the RRAS and ISA Server configurations are correct. What else could you check that might be wrong? A. ISP doesn’t support VPN connections. B. Clients can’t resolve the name of the VPN server. C. Clients are not allowed to connect to a VPN through their local
ISP. D. ISA Server needs a ROUTE ADD command in order to add static
entries for all clients connecting. 20. You’re the administrator for a small network of about 20 users.
Currently, you have two dial-up connections with your ISP. You want to set up your users so that they have an easier, faster access to the Internet. What steps should you take? A. Install the ISA Server in integrated mode. Set up the RRAS
phonebook entry to use Internet Connection Sharing. Set up URL caching within ISA Server. Set up ISA Server demand-dial. B. Install the ISA Server in cache mode. Set up the RRAS
phonebook entry to use Internet Connection Sharing. Set up URL caching within ISA Server. Set up ISA Server demand-dial. C. Install the ISA Server in integrated mode. Set up modem pooling.
Set up the RRAS phonebook entry to use Internet Connection Sharing and the pooled modems. Set up URL caching within ISA Server. Set up ISA Server demand-dial. D. Install the ISA Server in firewall mode. Set up modem pooling.
Set up the RRAS phonebook entry to use demand-dial and the pooled modems. Set up URL caching within ISA Server. Set up ISA Server demand-dial.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
236
Chapter 4
■
ISA Server and RRAS Integration
Answers to Review Questions 1. B. A VPN (virtual private network) file is the output of the wizard. 2. A, B. Windows 2000 supports the older VPN tunneling protocol,
Point to Point Tunneling Protocol (PPTP), and a newer version, Layer Two Tunneling Protocol (L2TP). Along with the tunneling protocol, you generally utilize some form of encryption. As a rule of thumb, you’ll use Microsoft Point to Point Encryption (MPPE) when utilizing PPTP and Internet Protocol Security (IPSec) when working with L2TP. L2TP is certificate-based and is designed to work with Windows 2000 Professional or Windows 2000 Server clients. 3. C. First, you must procure an Internet connection for the Vancouver
site. Next, you set up ISA Servers at both sites. Then, you run the Local VPN Wizard in one site and the Remote VPN Wizard in the other. Note that without suitable name resolution on the Internet between the two servers, the wizards may not run correctly. 4. B, C, D. The Local VPN Wizard configures ISA Server to allow
VPN clients to connect to the server. The remote access policy creates a method whereby telecommuting users can connect to the server. The client will have to have a dial-up networking (DUN) VPN connection configured. Missing here is the fact that you also need to enable the client for RRAS access and you need to make sure that your DNS entries for the ISA Server are resolvable via the Internet. 5. C. In order to use DHCP for RRAS clients, a DHCP relay agent
must be installed on the RRAS server. 6. B. L2TP is the preferred security protocol for VPN clients. However,
it is only supported for Windows 2000 clients. Note that you’ll use L2TP with the Internet Protocol Security (IPSec) encryption protocol to attain an encrypted tunneled VPN transmission.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 237
7. A, B. Recall that when you’re setting up a Local/Remote Server VPN
you need to provide a remote access policy that has as a condition a NAS-Port-Type of Virtual (VPN) before things can begin to work. You also need to utilize some sort of user account for each server that has dial-in permissions and credentials to access the other VPN server. 8. C. You’ve configured your VPN to run L2TP, a new tunneling
protocol that only Windows 2000 clients (Server and Professional) can utilize. Your Windows NT, Me, and 9x clients can’t play in the sandbox with L2TP. You’ll have to also set up a VPN rule that includes PPTP. 9. B, D. The Static Routes node of the RRAS MMC will show that
you’ve keyed a static route into the routing table. You can also use the Route Add –p command to make a persistent routing connection to the server. 10. A, B, D, E. All but the Internet Gateway Routing Protocol (IGRP)
are routing protocols supported by Windows 2000. Note that Windows 2000 supports both the older version of Routing Information Protocol (RIP) as well as the newer version RIP v2. 11. B, D, E. When you run the ISA VPN Server Wizard to allow
external clients to connect to the ISA Server, RRAS is configured as a VPN server, a set of IP packet filters is created to allow both PPTP and L2TP over IPSec, and authentication and encryption methods are enforced. You’ll want to visit the authentication and encryption methods to make sure they’re not too weak. A remote access policy that includes the NAS-Port-Server type of Virtual (VPN) is not included; you must do that within RRAS. 12. B. IPSec over L2TP is the strongest encryption protocol supported
by Windows 2000. Microsoft Point to Point Encryption protocol (MPPE) is supported over PPTP but not L2TP, and it isn’t as strong as IPSec.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
238
Chapter 4
■
ISA Server and RRAS Integration
13. B. Since you could locally access the Internet client from the ISA
Server, the driver works fine. You must enable IP routing from the RRAS MMC. 14. C. NAT (Network Address Translation) assists the client by
mapping external network connections to an internal IP address range. 15. C. The Remote Authentication Dial-In User Service (RADIUS)
provides authentication and accounting services for dial-up clients. This service is often used by ISPs and other organizations that want to keep track of how long users are connected to an RRAS server. 16. B, D. Any time IPSec is involved, you can think “certificates.”
Because PPTP and L2TP can both run over IPSec, either tunneling protocol would require the certificates, as issued by a Windows 2000 Certificate Authority (CA) server. This server may be the same as the ISA/RRAS server or it might live on a different box. 17. C. Convergence means that the routing tables of multiple routers are
in agreement with one another and allow packets to flow freely through the network. 18. A, B. The Local VPN Wizard and the Remote VPN Wizard must be
run in ISA Server to allow a persistent tunnel to be created between a local VPN server and a remote VPN server. 19. B. In troubleshooting problems like this, generally the KISS (Keep It
Simple, Stupid) principle works the best. Start small and work your way up. In the paragraph above, we’re not told that you checked to make sure clients could resolve the VPN server hostname—an item of paramount importance in any facet of Internet networking. 20. C. You have two dial-up Internet connections with your ISP, so
it’s possible that you could make use of Windows 2000’s modempooling features to double the bandwidth that can be had with any one connection. Then you can set up demand-dial and use ISA Server to cache users’ recent URLs for a faster Internet experience.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
5
Configuring ISA Server for the Enterprise MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ✓ Configure and secure the firewall in accordance with corporate policies. ■
Configure the packet filter rules for different levels of security, including system hardening.
✓ Create and configure access control and bandwidth policies. ■
Create and configure site and content rules to restrict Internet access.
■
Create and configure protocol rules to restrict Internet access.
■
Create and configure routing rules to restrict Internet access.
■
Create and configure bandwidth rules to control bandwidth usage.
✓ Install ISA Server. Installation modes include integrated, firewall, and cache. ■
Install an ISA Server computer as a member of an array.
✓ Manage ISA Server arrays in an enterprise. ■
Create an array of proxy servers.
■
Assign an enterprise policy to an array.
✓ Configure multiple ISA Server computers for scalability. Configurations include Network Load Balancing (NLB) and Cache Array Routing Protocol (CARP). ✓ Create new policy elements. Elements include schedules, bandwidth priorities, destination sets, client address sets, protocol definitions, and content groups.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
I
n this chapter, we begin to get down to the nuts and bolts of what ISA Server is all about. We start by talking about some common security problems in the enterprise. Next, we move to the definition and configuration of packet filtering and packet filter rules. We then discuss topics that deal with access control: site filtering, bandwidth limiting, routing rules, and protocol rules. Finally, we discuss arrays and their creation.
Common Security Problems in the Enterprise
W
e talked about this a bit in Chapter 1, but now we need to really drill in and understand the kinds of security problems that can occur when private networks are connected to the Internet and, more important, how ISA Server can help alleviate these problems. Configure and secure the firewall in accordance with corporate policies.
There are six kinds of security issues that you can run into when considering your design and deployment of ISA Server. Let’s look at each one closely.
Outgoing Requests Perhaps the largest component of your work with ISA Server will revolve around making sure that malicious content cannot enter your private network by controlling where users are allowed to go on the Internet.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Common Security Problems in the Enterprise 241
With ISA Server clients, you must apply several rules to see whether a client has access or not. You first create a Client Access Policy allowing internal clients to access specific sites. You also configure routing rules and site and content rules, along with protocol rules. You then evaluate the combination of all of these rules before a client can go to a specific site. These rules are processed in a certain order: 1. Protocol rules: If you have a rule set that doesn’t allow FTP to be
used at any site, then when a client tries to FTP, they will be stopped. 2. Site and content rules: ISA Server next checks to see if a site and
content rule exists that specifically allows or denies the client request for access. 3. IP packet filters: Any IP packet filter that has been configured is then
checked to see if it denies the client access. 4. Routing rules or firewall chaining configuration: Routing rules apply
to web proxy clients only; firewall chaining rules apply to SecureNAT and firewall clients.
Incoming Requests ISA Server can also monitor incoming requests. Internet users might want to access the private network for obtaining content from an internal web server or application server. External clients might also desire to obtain content from servers on your demilitarized zone (DMZ). You can provide access to these kinds of servers through several methods: ■
■
■
Web publishing rules set up standards for publishing internal web server content to the Internet. Server publishing rules control how other servers (such as e-mail servers) publish their content on the Internet. IP packet filters watch for certain kinds of incoming packets and prohibit them from entering the internal network.
When an ISA Server gets an incoming request, it checks in the following order to see whether the request is allowed: IP packet filters, web publishing rules, routing rules.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
242
Chapter 5
■
Configuring ISA Server for the Enterprise
Application Filters Application filters are ISA Server–specific components that allow the Firewall service of ISA Server to interact with protocol streams or datagrams and filter out undesired protocols or activities. Application filters can also perform protocol- or system-specific tasks such as virus scanning and authentication. To do this, ISA Server’s Firewall service uses extensions. The following extensions come with ISA Server: HTTP Redirector Filter This extension allows you to configure whether internal client requests from Firewall and SecureNAT clients are proxied through the web proxy service (thus NAT-ting them and caching the ensuing results), go directly to the website requested, or are not allowed access to the website requested. FTP Access Filter This extension is provided for the purpose of monitoring SecureNAT client access to FTP sites. You can tune the client’s access permissions to FTP using this filter. SOCKS Filter This extension is utilized by the Firewall service to forward requests of SOCKS (a protocol used to handle the TCP protocol over a proxy server) applications. Note that the default SOCKS port used by ISA Server is port 1080, although this is configurable. SMTP Filter This filter is automatically installed. It has the capability of monitoring incoming SMTP messages on port 25. You can reject certain users if you desire—keeping spamming to a minimum. (Note that Exchange Server also has this capability—the difference is that you catch the messages at the firewall rather than forwarding them to Exchange Server for filtering.) RPC Filter This extension is provided for enabling Remote Procedure Call (RPC) servers to publish to the Internet. Exchange Servers that are pre–Exchange 2000 utilize RPC, and there is an Exchange-specific filter included with ISA Server. Streaming Media Filter This filter is provided so that you can control incoming streaming media for your SecureNAT and firewall clients. You can, out of box, control Microsoft Media Player services (MMS), the Progressive Networks Protocol (PNP), which allows for RealPlayer client access and server publishing, and the Real Time Streaming
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Common Security Problems in the Enterprise 243
Protocol (RTSP), utilized by RealPlayer G2 and Apple’s QuickTime 4 client access and server publishing. Intrusion Detection Filters Two filters for intrusion detection are supplied, one for Domain Name System (DNS) and one for Post Office Protocol (POP) e-mail intrusion. The intrusion-detection software used in ISA Server is based on functionality provided by Intrusion Security Systems, Inc. (www.iss.net). H.323 filter The H.323 filter monitors audio/video streaming across the firewall. Vendor-specific web and application filters ISA Server can also work with customized filters created for web or application-specific content.
Intrusion Detection ISA Server comes equipped to monitor several given network intrusion attempts. The following events are monitored and alerted for: All ports scan attack ISA Server notifies you when the number of ports being scanned exceeds your present threshold. (Port-scanning software is usually free and very easy to obtain.) Enumerated port scan attack This attack goes beyond the all ports scan attack because it looks for specific services that are associated with a given port. Note that you may not necessarily be under attack if a given port is enumerated and scanned for available services, but there may have been an attack of some kind. The firewall logs will reveal the address of the computer doing the scanning. IP half scan attack This is a subtle method of attacking a system whereby the attacker requests a port from a destination computer and waits to see if they get a Synchronization/Acknowledgment (SYN/ACK) packet or a Reset (RST) packet. Under normal circumstances where a computer is actually requesting a port, it would send an Acknowledgment (ACK) packet as soon as it got the SYN/ACK back from the destination computer. Since systems don’t typically log attempts to access a port until an ACK is received, the attacker can probe the ports on a computer without being detected. Figure 5.1 shows this graphically.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
244
Chapter 5
■
Configuring ISA Server for the Enterprise
FIGURE 5.1
An IP half scan attack
Syn port 110? Firewall computer
SYN/ACK Firewall computer Aha! POP is being used on this server.
Hmm, must not have wanted to use me after all. Firewall computer
Land attack This is a SYN attack where the attacker spoofs their computer’s IP address as that of the destination computer. The destination computer thinks it is getting a synchronization request from itself; the request sends some TCP implementations into a loop and crashes the computer. Very ingenious stuff! Ping of Death attack An interesting thing happens when you send thousands upon thousands of simultaneous pings to a server. Its kernel buffer overflows and it crashes to the ground! Several big companies, Microsoft included, were disrupted by this type of attack a few years ago. ISA Server filters for Ping of Death attacks. Another term for the Ping of Death attack is the Denial of Service (DoS) attack. With a DoS attack, the network is simply flooded with useless information or in some way bogged down by repeated requests that serve only to bring computers to their knees. UDP bomb attack Strictly for older computers, the User Data Protocol (UDP) bomb attack happens when a UDP datagram containing invalid data in certain fields is sent to the computer. ISA Server is able to filter out UDP bomb attacks. Windows out-of-band attack Similar to the DoS attack, ISA Server detects these attacks in out-of-band packets. An out-of-band packet occurs when certain protocols allow packets of an unusual type to be sent ahead of the ordinary data streams. Audio and video streaming
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Common Security Problems in the Enterprise 245
that has been set up with a priority of service queue might be considered to consist of out-of-band packets. If you can send a DoS through out-of-band packets, you have an unusually powerful DoS because it’s less easily detected. ISA Server can watch for out-of-band attacks.
ISA Server System Security You can use a built-in security wizard with ISA Server to set ISA’s internal security. This is what is referred to in earlier chapters as system hardening. There are three levels of system security that you can set: Secure You’ll use this setting when ISA Server is used for other things such as IIS, SQL, or SMTP server. Limited Services Use this setting when ISA Server is running as both a firewall and a cache server. Note that ISA Server can be protected by placing an additional firewall ahead of it. Dedicated Use this setting when the computer is dedicated to ISA Server running as a firewall.
Virtual Private Networks ISA Server comes with a Virtual Private Network (VPN) Wizard that allows you to set up VPN connections. Here’s the catch—you can set up VPN connections only between ISA Servers. You must have one remote and one local ISA Server in order to use the VPN connection. But what a cool utility this is, because now all you have to do is the following: 1. Provision a high-speed ISP connection on your remote network. 2. Provision a high-speed ISP connection on your local network (thus
saving WAN connection charges between the two networks). 3. Set up an ISA Server on both ends. 4. Set up your VPN.
Voilá! What could be simpler than this? It’s like shooting fish in a barrel. Your remote network can communicate with your local network, and you save expensive long-distance WAN charges. However, you must monitor all of these things according to your corporate standards. This means that you have to sit down with
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
246
Chapter 5
■
Configuring ISA Server for the Enterprise
stakeholders and determine exactly what the standards are that you’re going to work with in your company. There are some hot buttons that some companies won’t touch—VPNs in particular. Here are some suggested topics to talk about when determining corporate policies: ■
Will you be setting up VPNs?
■
Will you enable intrusion detection?
■
■
■
■
Will there be an ISA Server array for data caching or independent entities that need to configure their own rules? What types of protocols will you allow inside? Outside? Will you be reverse-hosting internal web servers? Application servers? Will you want to filter certain Internet content, and will this require a third-party add-on?
Tied into this is the idea that stakeholders, even non-technical ones, must understand all of the functionality that ISA Server has at its disposal— which is tremendous to say the least. Somehow, you need to get across to non-technical people which things need monitoring and get buy-in and consensus from everyone on the way the new installation will be configured.
Even Microsoft Uses It In working with Microsoft one very late evening, trying to figure out a Proxy Server 2.0/Exchange Server connectivity problem, I was shocked to find that the support technicians were using regular old freeware port-scanning software to examine the ports on my Proxy Server to see if they were open and able to dialog with the outside world. It didn’t scare me so much that they wanted to scan to see if port 25 was open and ready to talk, but rather how easily they could scan the ports to see if my Proxy Server was ready to go. Not to belittle Microsoft technical support engineers in any way, but if it was a very trivial, matter-of-fact process to use this freeware
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Packet Filtering 247
software to scan the ports on my Proxy box, how much more should admins be concerned about people who are scanning the ports on their entry gear without them knowing about it? When you think about it, it’s pretty scary stuff! Thanks to ISA Server, the port-scanning issue becomes a non-issue.
Packet Filtering
T
he heart and soul of good proxy servers falls on the concept of packet filtering. The idea fleshes out like this: There are streams of packets heading into and out of the ISA Server. You wish to examine packets of a certain kind—let’s pick on Transmission Control Protocol (TCP) packets—and a specific port that the packets are going to—port 25 in our example case. Configure and secure the firewall in accordance with corporate policies. Configure the packet filter rules for different levels of security, including system hardening.
■
You wish to allow all packets going out from the internal network to port 25 on the ISA Server and all incoming packets destined toward the ISA Server from the Internet. What you’re really doing is allowing SMTP packets through so that people can work with Internet e-mail. But consider the components that we have to be aware of: ■
Type of packet
■
Port number the packet wants to use
■
Packets incoming, outgoing, or both
■
Machines that are allowed to receive incoming packets
■
Machines to which outgoing packets can be sent
With packet filtering, you have an all-or-nothing situation. In other words, if packet filtering is enabled, only the packets that you’ve explicitly allowed are able to cross the firewall. Conversely, if packet filtering is
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
248
Chapter 5
■
Configuring ISA Server for the Enterprise
turned off, then all packets are free to cross the firewall—there are no restrictions. That’s how it used to be in Microsoft Proxy Server 2.0. In ISA Server, however, if packet filtering is not enabled, then you must explicitly configure access rules, either through access policies or by publishing rules in order to allow packets to cross the firewall. If no firewall rules are configured and no packet filtering is going on, then no one is getting through the firewall. Note that you are provided extensive granularity in the way that you set up your packet filtering because you can not only pick the nature of the packets you’ll accept, either incoming or outgoing, but you can also determine which machines are allowed to obtain the packets. Microsoft does not recommend that you use packet filtering as your primary method of firewalling. Microsoft prefers that you set up access policy rules that allow internal users access to the Web and publishing rules that allow external users access to internal servers. The reason for this is that packet filtering keeps the port open at all times even when it’s not in use. In other words, port 25 is open 24/7/365 (provided the computer’s up) for TCP packets in the scenario we described above. Thus, port 25 becomes eminently hackable. On the other hand, by setting up specific rules, you allow the ports to be opened as needed and closed when not needed. This is called dynamic packet filtering because the ports are dynamically opened. As a good designer, you might intuitively guess that the dynamic opening of ports will take up more system resources than if you merely opened the floodgates and let the packets tromp through. So, design your ISA Server box accordingly, with this in mind: ’Tis always best to overengineer rather than under-engineer. There are certain times when you might need to consider packet filtering instead of rules. Let’s look at some examples: ■
■
■
You’re publishing servers that are on the DMZ. In cases such as this, you want to keep specific ports constantly open, restricted to certain computers and certain packets. Packet filtering makes more sense in a case such as this. You’re running applications that require listening to a certain port. This situation is very common and something to pay attention to in your application documentation. You have protocols that are being used over the Internet but are not based upon UDP or TCP. There aren’t many of these out there; most protocols utilize either TCP or UDP and a specific port, but there may be an oddball protocol that doesn’t and that requires packet filtering instead.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Packet Filtering 249
You should be aware that ISA Server offers you two unusual kinds of packet filtering. The first is called IP fragment filtering. Hackers have figured out that if they send fragments of an IP packet to a destination computer, they can get them inside the private network and then reassemble them. By enabling IP fragment filtering, you disable this capability. Also, hackers have discovered that they can use the IP Options portion of the header of an IP packet to wreak havoc. You can enable IP options filtering to avoid this problem. To turn on packet filtering, navigate through the ISA Server Management Console pane to Access Policy ➢ IP Packet Filters. Right-click IP Packet Filters, select Properties, and you’ll bring up the IP Packet Filters Properties window General tab, as shown in Figure 5.2. Notice that, by default, packet filtering is enabled. The Details window of the ISA Server Management console provides a list of enabled packet filters. FIGURE 5.2
The General tab of the IP Packet Filters Properties window
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
250
Chapter 5
■
Configuring ISA Server for the Enterprise
Choose the Packet Filters tab to open the window where you can enable the two odd types of packet filters we talked about previously: IP fragment filters and IP option filters, as shown in Figure 5.3. FIGURE 5.3
The Packet Filters tab of the IP Packet Filters Properties window
These two packet-filtering types are disabled by default—you’ll need to be cognizant of them and enable them if you want them on. Interestingly, you don’t configure the rest of the packet filters from the IP Packet Filters Properties window. Instead, you use the Create A Packet Filter Wizard, as shown in Figure 5.4. You can bring up the ISA Management window by choosing Start ➢ Programs ➢ Microsoft ISA Server ➢ ISA Management and then navigating in the Management console down to the Access Policy ➢ IP Packet Filters node. The left-hand pane of the Management console is called the Context pane, the righthand the Details pane.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Packet Filtering 251
FIGURE 5.4
The Details pane of the ISA Server Management console showing the Create A Packet Filter Wizard icon
Note also from Figure 5.4, as we mentioned earlier, that several packet filters are enabled and busy filtering. By scrolling down through this window, you’ll notice that each of the predefined packet filters is of type Allow. You can double-click any of the predefined packet filters to bring up a window showing you their exact configuration. You can also choose to disable the packet filter by bringing up its Properties sheet and deselecting the check box shown in the bottom-left corner of Figure 5.5. ICMP(Internet Control Message Protocol) is used for the ping command, so the packet filter that we’re paying attention to in this case allows all internal users to ping an outside host. The next succeeding packet filter allows the ping response to come back to the client issuing the initial ping. To streamline this packet filter a bit more, you could choose the Local Computer tab of the Properties sheet and key in specific information, thus allowing only certain computers to ping out. You could also set up the Remote Computer tab so that only certain remote computers could respond to a ping command. Note that you’ve now effectively ruled out ping responses for a certain number of people, but you’ve not eliminated the Ping of Death intrusion. This is done by enabling Intrusion Detection and configuring it so that it disallows the Ping of Death.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
252
Chapter 5
■
Configuring ISA Server for the Enterprise
FIGURE 5.5
A response packet filter Properties sheet
Just for fun sometime, trying pinging www.microsoft.com. You will not be successful in this—for a reason. Microsoft was one of a handful of large companies that lost service for a time when a large Ping of Death onslaught hit them.
Configuring Packet Filters Packet filter rules are configured using the Create A Packet Filter Wizard located in the Details pane of the IP Packet Filters section of the ISA Server console. You click the wizard and follow the prompts to create or modify a packet filter. In Exercise 5.1, we’ll create and configure an IP packet filter that opens up port 25 for incoming SMTP packets.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Packet Filtering 253
EXERCISE 5.1
Creating and Configuring a Packet Filter 1. Start the wizard and you will see a screen prompting you for the name of this packet filter. In the IP Packet Filter Name field, type SMTP.
2. Next, you determine whether you’re setting a packet filter that allows or blocks packet transmission. Since we’re going to allow SMTP traffic to pass through port 25, we’re creating an Allow rule.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
254
Chapter 5
■
Configuring ISA Server for the Enterprise
EXERCISE 5.1 (continued)
3. Continuing on, you can choose to create a custom packet filter or select from a list of predefined packet filters. In this case, the SMTP packet filter is already present, so you’ll select it from the Predefined drop-down list.
4. Next, the wizard wants to know whether we’re going to use all external addresses that the ISA Server is configured with, a specific external address of the ISA Server, or a computer on the perimeter (DMZ) network. The default is to use all external addresses and this will work fine for our needs, even if we were to have only one external NIC on the ISA Server.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Packet Filtering 255
EXERCISE 5.1 (continued)
5. Next, we’re given a choice of whether to apply the packet filter to all remote computers or to a single remote computer. Intuitively, you can see that you’d have to create several similar rules in order to provide packet filters for a number of machines if you did not want all external machines to be able to use the rule, so accept the default.
6. The final screen summarizes your choices. Click Finish to exit the wizard.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
256
Chapter 5
■
Configuring ISA Server for the Enterprise
EXERCISE 5.1 (continued)
7. At this point, you might have a question as to how we know that the port being filtered is port 25. ISA Server assumes when you create your packet filter that you’re going to be using the default port for the packet filter. If this is not so, then once you’ve created it, the packet filter will show up in the ISA Server console’s list of active packet filters, and you can edit its properties to change the port (or other settings) accordingly. In the following graphic, you’ll notice that we’ve pulled up the Properties sheet for our newly created SMTP packet filter. The Filter Type tab confirms that the port is, indeed, 25.
Note in Exercise 5.1 that, as with other packet filter Properties sheets, you have the ability to allow only certain remote computers as well as certain internal computers to be able to use the packet filter. You may, for example, want to tweak your SMTP packet filter so that the Local Computer section of the Properties sheet points strictly to your Exchange Servers, thus keeping a wily hacker from being able to get to points unknown by entering through a poorly configured open port 25.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Packet Filtering 257
Setting up a Block-type packet filter works exactly the same way.
You can log the packets for Allow-type filters by right-clicking IP Packet Filters from the ISA Server Management console, choosing Properties, choosing the Packet Filters tab, and checking the Log Packets From “Allow” Filters check box.
Leveraging ISA Server As a Router and a Firewall Notice in the Details pane of the ISA Server Management console for IP Packet Filters (shown previously in Figure 5.4) that you can set security for the ISA Server simply by running the Secure Your ISA Server Computer Wizard. When you run this wizard, you’ll be presented with three different security options:
Dedicated This computer is running as a dedicated ISA Server with no other adjunct functionality. Limited Services
This computer is also functioning as a domain controller or infrastructure server (PDC emulator, etc.).
Secure
This computer has databases or other applications loaded
on it. Note that there is no option for a computer that’s a domain controller (DC) and is running other applications. Select the Secure option if you have a server in such a circumstance. Microsoft recommends that you consider running your ISA Server as a router when you’ve configured packet filters because you gain the security of packet filtering with the forwarding of packets through the router software. To set up your ISA Server as a router, simply rightclick IP Packet Filters, select Properties, and click the Enable IP Routing check box found under the General tab of the Properties sheet. Note that routing, by virtue of its nature, will work better when you consider which computers you’re routing packets to, rather than allowing carte blanche packet forwarding.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
258
Chapter 5
■
Configuring ISA Server for the Enterprise
Access Policy
I
SA Server provides enormous granularity in the level of control that you’re afforded over the various features that are provided. In this section, we talk about access control, setting up policies and rules to control the internal client’s Internet experience. Create and configure access control and bandwidth policies. ■
Create and configure site and content rules to restrict Internet access.
■
Create and configure protocol rules to restrict Internet access.
■
Create and configure routing rules to restrict Internet access.
■
Create and configure bandwidth rules to control bandwidth usage.
Create new policy elements. Elements include schedules, bandwidth priorities, destination sets, client address sets, protocol definitions, and content groups. Setting up access policies, that is, controlling the Internet sites that your internal clients can visit, is one of the foremost functions you’ll perform when setting up an ISA Server. You set up access policies by configuring the following items: ■
Protocol rules
■
Site and content rules
■
IP packet filters
■
Routing rules
■
Firewall chaining configuration
When ISA Server checks an internal client’s outgoing access policies, it evaluates the policy in exactly the order shown above.
Protocol Rules Protocol rules define which protocols are specifically allowed or denied. You can deny or allow for all users or for a specific group. You can also
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Policy
259
select whether to allow or deny for all IP traffic, for given IP protocols only, or with the exception of given IP protocols. Since ISA Server evaluates the access in specific order, it is possible to grant a user complete access to all IP protocols and then have an IP packet filter that blocks, for example, SMTP. Note, too, that you can also set up a calendar that allows access only for given days or times. We’ll talk about that in a moment. In Exercise 5.2, we’ll create a protocol rule. EXERCISE 5.2
Creating Protocol Rules 1. Navigate down the Console pane of the ISA Server Management tool to Access Policy ➢ Protocol Rules.
2. Click the Create A Protocol Rule Wizard icon in the Details pane. As the wizard begins, it’s very similar to the IP Packet Filters Wizard.
3. You’re first presented with a screen asking you to name the protocol rule. Pick a name that’s descriptive of what the rule does. In the Protocol Rule Name field, type in Disallow FTP access for account group.
4. Next, select whether you want to use an Allow or Deny rule. Since we’re denying access to the Accounting group, you need to select a Deny rule.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
260
Chapter 5
■
Configuring ISA Server for the Enterprise
EXERCISE 5.2 (continued)
5. In the ensuing screen, you’re asked if you want to apply the rule to All IP Traffic, Selected Protocols, or All IP Traffic Except Selected. In our case, we’re going to apply the rule to selected protocols— namely FTP.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Policy
261
EXERCISE 5.2 (continued)
6. Select FTP, FTP Download Only, and FTP Server.
7. In the next window, you’re prompted to select a schedule you’d like to maintain for this particular rule. You have the choice of Always, Weekends, or Work Hours, the default being Always. This is fine for our rule.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
262
Chapter 5
■
Configuring ISA Server for the Enterprise
EXERCISE 5.2 (continued)
8. Next, you’re prompted as to whether the rule should apply to Any Request, Specific Computers (Client Address Sets), or Specific Users And Groups. Since we’re going to apply this rule to the Accounting group, select Specific Users And Groups.
9. Next, you must add the Accounting group to the protocol rule.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Policy
263
EXERCISE 5.2 (continued)
10. The new protocol rule now appears in the Details pane of the ISA Management console.
In concluding our discussion of protocol rules, a few additional items are worth mentioning. Only HTTP, HTTPS, Gopher, and FTP rules are allowed for ISA Servers that are configured as cache-only. Firewall and hybrid configurations allow for the introduction of other protocol rules. There are no protocol rules in the ISA Server initial installation. It is up to you to create them as you bring up the server, remembering that protocol rules are evaluated first. Note that you could simply create one Allow rule that allows all protocols to everybody, thus opening the floodgates. Remember to control these rules as needed later on with IP packet filter rules or site and content rules. You can edit the rule at any time by double-clicking it or running the Configure A Protocol Rule Wizard. Note that all rules created as part of a system’s total access policy show up in the Details pane when you select the Access Policy node. If you have a protocol for which there is no definition within the Protocol Rule Wizard, you must first create the protocol definition. Navigate through the ISA Management console to Policy Elements ➣ Protocol Definitions. You’ll need to know the port number the protocol uses, whether it’s TCP or UDP, and whether you expect the protocol to be
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
264
Chapter 5
■
Configuring ISA Server for the Enterprise
inbound or outbound (note that if you expect both, you’d have to create two protocol definitions, one for each direction). You can also stipulate a secondary connection, as some protocols utilize a second port when setting up a connection. If you’re not sure of this information, you’ll need to contact the software vendor that wrote the protocol or consult some Internet materials for more information.
Site and Content Rules Creating a site and content rule allows to you to specify access to the Internet for given hosts. There is, by default, one site and content rule that allows any request to any site—the barn doors are open and the horses are free to run. You can create a new rule by clicking the Create A New Site And Content Rule icon and running through the wizard. The wizard is quite similar to earlier ones you’ve seen. You still need to figure out whether you’re creating an Allow or Deny rule. If you opt to deny access, you can also set up the rule so that it redirects the client to a different site. You can also pick the destinations that the rule you’re creating applies to: All Destinations, All Internal Destinations, All External Destinations, Specified Destination Set, or All Destinations Except Selected Set. All Destinations is, of course, the default. If you select specific destinations, you can opt to use either the name or the IP address (or both). Use both because users are smart and can figure out how to access the site by IP address if you use only the name of the site.
Destination sets are configured as Policy Elements and then implemented via the Specified Destination Set option. Destination sets must be configured before they can be used here.
You’re also presented with a Schedule screen like the one that the protocol rule uses. In addition, you can select whether any requests, specific computers, or specific users and groups can use this rule. Once you’ve filled in the appropriate data in the wizard, click Finish to exit the wizard. You can double-click the rule in the Details pane to edit it or run the Configure A Site And Content Rule Wizard later on if you want to change it. In Exercise 5.3, we’ll create a routing rule.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Policy
265
EXERCISE 5.3
Creating a Routing Rule 1. Navigate through the ISA Server Management console to Network Configuration ➢ Routing to view the current routing rules. Not surprisingly, the default includes one rule that routes all traffic to the destinations required by the packets.
2. You can opt to modify this rule or add a new one by right-clicking anywhere in the Details pane and selecting New ➢ Rule, which brings up the New Routing Rule Wizard, very similar to the previous wizards. Type in a meaningful name.
3. You’re then presented with a destination choice: All Destinations (the default), All Internal Destinations, All External Destinations, Specified Destination Set, or All Destinations Except Selected Set. In this example, choose All Destinations.
4. Next, you’re prompted for the action. You can choose from the following options: Retrieve Them Directly From Specified Destination, Route To A Specified Upstream Server, or Redirect To Hosted Site on a given port or Secure Sockets Layer (SSL) port. You can even opt to use a dial-up entry for the destination. In this example, choose Retrieve Them Directly From Specified Destination.
5. You’re then prompted as to how you’d like the cache to be utilized. Would you like the router to retrieve a valid version of the object from the cache and retrieve it directly from the destination site only if it
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
266
Chapter 5
■
Configuring ISA Server for the Enterprise
EXERCISE 5.3 (continued)
doesn’t exist in the cache? Would you prefer any version of the object in the cache? Or would you not route the request if the object didn’t exist in the cache? For this example, choose the first option.
6. Next, you’re prompted as to how you’d like to cache information about the request. You can choose to cache the information, cache only if the source and request headers say to cache, or never cache at all. For this example, choose to cache the information if source and request headers indicate to cache. Click Finish to conclude the rule.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Policy
267
As with any of the rules you’ve created previously, you can edit your new rule at any time by simply double-clicking it. The Policy Elements node of the ISA Management console allows you to configure special policy options that you’ll utilize when setting up access policies. Site and content rules can utilize several different features that you may need to think about tweaking or pre-configuring. For example, if you know that you have a certain group of users who need to go to specific sites and you want to curb the bandwidth these users utilize, then you can create a bandwidth rule to minimize the effect of their surfing. In the ISA Management console, navigate to Server_name ➢ Bandwidth Rules to create a new bandwidth rule. Note that the default bandwidth rule stipulates all IP traffic, all destinations, all the time—in other words 100 percent bandwidth utilization at all times. You can also create new bandwidth priorities by navigating the ISA Management console to Policy Elements ➢ Bandwidth Priorities. Here you set a priority between 1 and 200 for your bandwidth, 100 being the middle of the road (50 percent of total bandwidth). The Default Bandwidth Priority is set to 100. You may decide to create a new bandwidth priority for a given set of users (client address sets) and then create a new bandwidth rule that refers to this newly created bandwidth priority. Thus, by applying a specific bandwidth priority to a bandwidth rule that works for a specific set of clients, you have extremely granular control over who can use what bandwidth on a network. Client address sets are simply a grouping of IP addresses to which you assign a name. Navigate the ISA Management console to Policy Elements ➢ Client Address Sets; then right-click and select New ➢ Set to create a new client address set. It’s very important to keep in mind, especially for testing purposes, that a client address set is not a list of user names or groups; it is a listing of IP addresses that can be used in various access rules. Destination sets, also found in the Policy Elements node of the ISA Management console, house the names of specific destinations. You may wish, for example, to allow users to access only a specific set of sites. Create a destination set for each site that you want to allow, and then refer to these destination sets in your site and content rules. Note that if a site has multiple references (e.g., weather.mysite.com, news.mysite.com, sports.mysite.com), you can key in each of these references into one destination set. Content groups are the odd policy element that you might deal with occasionally. Content groups do not, as their name might imply, filter web content and keep users from hitting sites that contain certain key words.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
268
Chapter 5
■
Configuring ISA Server for the Enterprise
For that you need third-party add-on web-filtering software. Content groups are used to rule out certain file extensions. For example, to keep any EXE files from coming in your door, you might set up a content group that prohibits this extension.
Bandwidth Limiting You’ll find the bandwidth rules as a root node directly under your ISA Server’s name in the ISA Server Management console. As you might have already guessed, the default bandwidth rule allows all IP traffic content to go to all destinations all the time and applies to any request. But that doesn’t help curb bandwidth usage, so you may find it useful to set up a bandwidth rule that keeps traffic down during, for example, work hours. In Exercise 5.4, we’ll create a bandwidth rule. EXERCISE 5.4
Creating Bandwidth Rules 1. Begin creating your bandwidth-limiting rule by either right-clicking the Bandwidth Rules node or right-clicking within the Details pane of Bandwidth Rules. Choose New ➢ Rule to bring up the New Bandwidth Rule Wizard.
2. Give the rule a meaningful name. In our example, type Limit bandwidth during work hours.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Policy
269
EXERCISE 5.4 (continued)
3. Next, you’re prompted for the kind of traffic you want to limit: All IP Traffic, Selected Protocols, or All IP Traffic Except Selected. Since we’re setting up a rule that limits all traffic during specified hours, we’ll go with All IP Traffic.
4. Now you’re prompted to select a schedule to apply. Your choices are Always, Weekends, or Work Hours. Since our rule will be applied to work hours, select that schedule.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
270
Chapter 5
■
Configuring ISA Server for the Enterprise
EXERCISE 5.4 (continued)
5. The wizard now wants to know what type of client to apply the rule to. Your options are Any Request, Specific Computers (Client Address Sets), and Specific Users And Groups. For our example, choose Any Request.
6. Next, you’re asked to which destinations to apply the bandwidthlimiting rule. Since we’re interested in whittling bandwidth demands down a bit, select All Destinations for this particular rule.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Policy
271
EXERCISE 5.4 (continued)
7. Next, you must decide whether to apply this rule to All Content Groups or Selected Content Groups. Your choices include audio, video, VRML, and so forth. Again, we’re interested in ruling out all kinds of content during the specified schedule, so we’ll select All Content Groups.
8. Here’s where it gets tricky. You’re asked to set the bandwidth priority for this rule. Note that the default is set to 100, halfway between the top priority of 1 and the bottom priority of 200. If you want to set a higher priority, enter a lower number (such as 10 for what is called good access or 1 for best access). In our case, select Default Bandwidth Priority from the drop-down list box, which is set for roughly 50 percent of bandwidth. If you select the Use Default Scheduling Priority radio button, ISA Server will utilize Windows 2000’s scheduling priority instead. If this is the first bandwidth rule you’ve created, the only choice you have will be Default Bandwidth Priority. We’ll show you how to create new priorities in just a minute.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
272
Chapter 5
■
Configuring ISA Server for the Enterprise
EXERCISE 5.4 (continued)
9. Finally, you’re presented with the Finish screen to finish up the configuration of your rule. Once the rule is finished, it takes precedence over the default rule. You can edit the rule at any time by simply double-clicking it. If you open the Bandwidth tab of the Properties sheet for the rule and click New, you can create a new rule, as shown in the following graphic.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Policy
273
EXERCISE 5.4 (continued)
Simply key in a meaningful name and (optional) description for the rule, and set your outbound and inbound bandwidth restrictions, remembering that 1 is the highest, 200 the lowest. Keep in mind that if you haven’t created a rule for a given protocol, it takes the lowest bandwidth priority.
By viewing the Schedule tab of the Properties sheet for your new rule, you can see that work hours, by default, are considered to be 9:00 A.M. to 5:00 P.M., probably not hours that are in keeping with where you work. Note that, just as with a new bandwidth priority, you can create a new schedule to apply to this rule, as shown in Figure 5.6. FIGURE 5.6
Creating a new schedule
Note also that you can configure the protocols, destinations, HTTP content, and whom the rule applies to, all within the Properties sheet of this rule. Finally, it’s important to note that bandwidth rules are not enabled by default. You enable your bandwidth rules by right-clicking the Bandwidth Rules node, selecting Properties, and then checking the Enable Bandwidth Control check box, as shown in Figure 5.7.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
274
Chapter 5
■
Configuring ISA Server for the Enterprise
FIGURE 5.7
Enabling bandwidth control
Bandwidth rules and IP packet filters are the only two things you need to worry about enabling through the Properties sheet of their respective nodes.
The Cable Modem User Redux Is it important to control your cable modem users who have VPN connectivity into your network? Absolutely! Consider that a cable modem has the capability of sucking up hundreds, even thousands, of kilobits per second as a user connects to and begins to use your private network.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating Arrays 275
Don’t believe me? Take a look at the following graphic, taken during early evening from the PC that I use to write most of the material in my books—one that’s equipped with a cable modem to the Internet. Note that the bandwidth is very impressive, a little over the equivalent of two T1 lines’ worth!
But suppose that a cable modem user utilizing a VPN to get into your network has this kind of horsepower and your network can hardly muster, say, 30K per user. You’d be really strapped—your VPN user would unwittingly take up every bit of available bandwidth they could muster. Hence, you have a very good reason for creating bandwidthlimiting rules.
Creating Arrays
N
ext, we dive into the power of creating and working with ISA Server arrays. Arrays are a grouping of two or more ISA Servers that are linked together. ISA Server arrays can provide very powerful configuration mechanisms for your network, including the following: ■
Sharing of web cache (distributed caching)
■
Hierarchical web caching
■
Fault tolerance
■
Load balancing
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
276
Chapter 5
■
Configuring ISA Server for the Enterprise
Install ISA Server. Installation modes include integrated, firewall, and cache. ■
Install an ISA Server computer as a member of an array.
Manage ISA Server arrays in an enterprise. ■
Create an array of proxy servers.
■
Assign an enterprise policy to an array.
Configure multiple ISA Server computers for scalability. Configurations include Network Load Balancing (NLB) and Cache Array Routing Protocol (CARP).
Most prominent in the design of your ISA Server deployment is whether you’ll need an array or not and, if so, what you’ll use the array for. Note that arrays can be created only with ISA Server Enterprise Edition, not Standard Edition. You gain with ISA Server arrays by way of the fact that all of the servers are configured identically and you can control all of them from a single management console.
In order for ISA Servers to work in an array, they must be members of a Windows 2000 domain, although you can install ISA Server Enterprise Edition as a stand-alone installation in Windows NT 4 domains.
Installing ISA Server in an Array In Exercise 5.5, we’ll install ISA Server in an array. EXERCISE 5.5
Installing ISA Server in an Array 1. You must start your ISA Server array installation by preparing Active Directory (AD) by extending and updating its schema to support the addition of ISA. Insert the ISA Server Enterprise CD and wait for auto-run to bring up the splash screen.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating Arrays 277
EXERCISE 5.5 (continued)
Note that you can install ISA Server Enterprise Edition over the top of an existing Microsoft Proxy Server 2.0 or an ISA Server Standard installation. By clicking the Run ISA Server Enterprise Initialization button, you go forward in setting up Active Directory to accept ISA Server Enterprise as well as ISA Server arrays.
2. Next, you’re prompted that ISA Server will update Active Directory. If this is okay, click Yes.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
278
Chapter 5
■
Configuring ISA Server for the Enterprise
EXERCISE 5.5 (continued)
3. You’re then asked whether, when installing to AD, ISA should use an array policy only or should use an enterprise policy. You’re given a default name for the enterprise policy, although you’re welcome to change it. You’re also allowed to create array policies that may restrict the enterprise policy, to allow publishing rules, and to force packet filtering on the array. It may be a good idea to cover your bases by checking all three check boxes and going with an enterprise policy.
4. Next, the wizard begins its extension of the AD schema. This activity can take several minutes on smaller systems, even longer on bigger deployments. The information stored in the schema pertains to the storage of policies, rules, and related objects in Active Directory. Note that you’ll have to wait for the schema addition to replicate throughout the enterprise if you have more than one domain controller participating in AD. When you’ve finished with the schema update, you’re prompted that you need to wait for this replication to finish.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating Arrays 279
EXERCISE 5.5 (continued)
Note that all servers that you intend to participate in the array must be installed with ISA Server Enterprise Edition, but it’s necessary to update the schema only once.
5. Next, you go about your regular business of installing ISA Server Enterprise Edition to the servers that you want to participate in the ISA Server deployment as stand-alone installations. If you’re installing ISA Server as an array member, you’re prompted with the following screen:
All array members must be in the same domain and in the same site in order to participate in the array. All members of the array can share an enterprise policy, or you can opt to allow each member to have its own array policy. The latter might be useful in a situation where you have several array members spread throughout various campus buildings. You can also determine which members of the array will be allowed to publish and which will not. You can also enforce packet filtering on the arrays. Note that it’s possible to have stand-alone ISA Servers in the same domain with an array of ISA Servers.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
280
Chapter 5
■
Configuring ISA Server for the Enterprise
Once the array is set up, each member of the array can be individually monitored and configured, or you can configure them collectively.
Network Load Balancing Perhaps the biggest and best reason for setting up an array is that the load is automatically distributed across the servers in the array, thus increasing performance. This could wind up being detrimental if one of the servers in the array is weaker than others, so it might make sense to provision array servers so that they’re all exactly alike. However, NLB does provide some configuration settings to account for this anomaly. If you have servers in the array with different capacity hard drives, thus allowing one to hold more cache data than another, you can adjust each server’s load factor. Select the array; then right-click the server and select Properties, or just double-click the desired server name. From the Array Membership tab, you can adjust the server’s load factor. You can also get there by selecting the desired server from the Computer node of the ISA Server Manager. The load factor is a relative number that compares one array member to another—the higher the number, the greater the load. Load factors start at 100. For example, if you have one array member that has four times more hard drive than another, set the smaller member’s load factor to 25, the larger member’s to 100. Generally speaking, arrays work well in large domains with geographically separate sites that all need to participate in the ISA Server array. You can allow administrators of each individual ISA Server in the array to define separate usage policies, or you can define one central enterprise policy. ISA Server can utilize Windows 2000’s Network Load Balancing (NLB) feature to accomplish its balancing across arrays. First, set up your cluster nodes, those computers that will be participating in the cluster, and get NLB installed. Then install ISA Server Enterprise on each, creating an array and making both nodes a member of the same array. Finally, configure NLB so that both nodes are managed using NLB. We’ll use Exercise 5.6 to walk you through the steps of configuring NLB on your ISA Servers. However, there are some prerequisites that you must fulfill before you can begin such an exercise. All computers using NLB must have Windows 2000 Advanced Server or DataCenter Server installed on them—plain-old Windows 2000 Server will not work for this
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating Arrays 281
process. In addition, if you’re going to configure multiple ISA Servers in an array, all of the servers must belong to the same Windows 2000 domain. Also, Microsoft recommends that you install two Network Interface Cards (NICs) in each computer participating in NLB, although it is possible to use NLB with single-NIC computers. Having dual NICs in each NLB computer allows you to set up one NIC for the internal NLB IP address and the other for network traffic trying to communicate with the server. You could come up with a simple configuration where you have a couple of servers with dual NICs, one of which is connected to the regular network, the other of which is connected to a mini-hub or switch that’s used strictly for intra-cluster communication. Figure 5.8 shows such a design. FIGURE 5.8
Example of an NLB server setup
1
2
3
4
Mini-hub or switch NIC2
NIC2
NIC1
NIC1
NLB Server 1
NLB Server 2 RI
1
2
3
4
5
6
7
8
RO
To regular network
EXERCISE 5.6
Enabling and Configuring NLB We’ll perform this exercise on all NLB computers—one at a time. Note that this exercise utilizes single-NIC computers:
1. Ensure that you are logged on to your Windows 2000 Server machine as Administrator.
2. Select Start ➢ Settings ➢ Network And Dial-Up Connections. The Network And Dial-Up Connections window opens.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
282
Chapter 5
■
Configuring ISA Server for the Enterprise
EXERCISE 5.6 (continued)
3. Right-click the Local Area Connection icon and select Properties. The Local Area Connection Properties sheet appears.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating Arrays 283
EXERCISE 5.6 (continued)
4. Check the check box next to the Network Load Balancing option and click OK. Network Load Balancing will be installed and enabled but not yet configured.
5. Perform step 3 again to bring the Local Area Connection Properties sheet back up. This time, highlight the Network Load Balancing option and click the Properties button to bring up the Network Load Balancing Properties sheet.
6. Under the Cluster Parameters tab, key in the primary IP address. This address is the one that will be commonly used by all nodes in the NLB cluster. It is best to make sure that all of the computers participating in NLB utilize IP addresses within the same subnet and a common subnet mask.
7. Key in the subnet mask for the primary IP address. 8. Enter the name for the cluster. Typically, you’ll use something meaningful such as cluster.domain_name.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
284
Chapter 5
■
Configuring ISA Server for the Enterprise
EXERCISE 5.6 (continued)
9. Determine whether you want to enable multicast support and mark the check box accordingly.
10. Key in the password used for the cluster and confirm it. 11. Decide whether you want to enable remote control on this cluster (you can remotely control all nodes in the cluster).
12. Note that the Help button will bring up a handy checklist that you can go through prior to installing and configuring NLB.
13. Under the Host Parameters tab, shown below, begin configuring by selecting the priority for the unique host ID for the computer that you’re working on. Note that a common mistake in the configuration of NLB is to neglect this setting and have all nodes in the cluster using the same priority number. Set the first computer to 1, the second to 2, and so forth.
14. Check the Initial Cluster State check box to make it active.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating Arrays 285
EXERCISE 5.6 (continued)
15. Supply the normal IP address of this computer. Note that this is called the dedicated IP address, as opposed to the primary IP address for the intra-cluster IP address used by NLB.
16. Key in the subnet mask used by this computer. 17. Next, choose the Port Rules tab and examine its settings, as shown below. Note that in most situations, probably the only configuration setting you’ll be really concerned about here will be the Load Weight setting. Suppose that you have one computer that is far superior, hardware-wise, to the second computer in your NLB cluster. The Load Weight setting allows you to more evenly disburse the load by first unchecking the Equal check box and then applying a number that you think matches the distribution ratio you’d like to apply to each computer. For example, in a two-node NLB cluster, perhaps you’d like to apply a 75/25 ratio, 75 for the more-powerful computer, 25 for the less-powerful one.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
286
Chapter 5
■
Configuring ISA Server for the Enterprise
EXERCISE 5.6 (continued)
18. Click OK to exit the NLB configuration screen for this computer and return to the Local Area Connection Properties sheet.
19. Next, highlight the Internet Protocol (TCP/IP) component and click the Properties button to bring up its Properties sheet.
20. Click the Advanced button to bring up the Advanced TCP/IP Settings dialog box.
21. In the IP Addresses section of the dialog box, click Add to open the TCP/IP Address dialog box, as shown below:
22. Enter the primary IP address that you just configured inside NLB. 23. Click Add to return to the Advanced TCP/IP Settings dialog box. 24. Click OK to return to the Internet Protocol (TCP/IP) Properties sheet. 25. Click OK to return to the Local Area Connection Properties sheet. 26. Click OK to close the Local Area Connection Properties sheet. 27. Bring up a command prompt and ping the primary IP address to make sure it’s working on this computer, as shown on the following page.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating Arrays 287
EXERCISE 5.6 (continued)
28. Ping the hostname to make sure that you can resolve this host by its name, as shown below:
29. Repeat this process for the next node in the cluster. Note that the primary IP address will not change, but the dedicated IP address will. Also, you may have a different load weight to apply to the second computer. Make sure that you change the priority of host IDs on each NLB computer you configure in the cluster.
30. Finally, configure all clients to point to the cluster’s primary IP address.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
288
Chapter 5
■
Configuring ISA Server for the Enterprise
In a two-NIC system, the steps wouldn’t be much different except that you’d set the primary IP address for the NIC you’re using internally to the cluster, keeping the dedicated IP address the same for the NIC that’s being used on the regular network.
Read the Windows 2000 NLB documentation carefully before proceeding. There are key elements surrounding such issues as remote control and port rules that you may want to familiarize yourself with before proceeding.
In an ISA NLB system, it’s entirely possible that you might wind up with three NICs—one for the external DMZ connection, one for the internal network, and one for the intra-cluster NIC.
Enterprise versus Array Policy Administrators who are configuring servers in an ISA Server array have three choices they can make relative to policies for the array: Array-only policies In this scenario, only array members can set policies. You’d use this policy when you have several array members controlled by different entities with a need to set different policies for their environment. Enterprise-only policies In a policy such as this, only the rules that are enforced at the enterprise level are valid. Array policies cannot be put into place. Use this type of policy when there is a centralized administrative body that needs to control all array members. Mixed policy In this environment, you implement an enterprise policy but allow array policies to be put in place as well. Note that you can choose whether to let array policies override an enterprise policy or not. An array policy can only add to, or harden, an enterprise policy. It cannot be used to remove any restrictions applied by an enterprise policy. You configure these policies after the array is built and before it’s put into production. You right-click the array_name node and select Properties to bring up the enterprise policy configuration sheet, as shown in Figure 5.9.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating Arrays 289
FIGURE 5.9
Enterprise policy configuration sheet
Once you’ve finished setting up your array’s properties, you then go into the Enterprise Policy node and configure enterprise site and content rule and protocol rules. You can have more than one enterprise policy and apply each to a different array. Thus, you can come up with very granular policies applied to different arrays within your ISA Server deployment.
On the test, you’re going to be given numerous array questions, and it’s important to understand what configuration the policies are in when you’re reading the question. Keep in mind that the level of control an array member has is relative to whether the enterprise policy allows it or not.
Cache Array Routing Protocol (CARP) A protocol called the Cache Array Routing Protocol (CARP) is used by web proxy clients and the ISA web-caching server to route requests for URLs to the server in the array most likely to have the cached content.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
290
Chapter 5
■
Configuring ISA Server for the Enterprise
It does this by using smart hashing in a deterministic way that allows the client to be directed to the array server that contains the URLs requested. Because of this unique algorithm, you’re assured that content is load-balanced across the members of the array and that no duplicates exist. This makes ISA Server extremely scalable and the cache highly resilient and less bandwidth-intensive.
CARP automatically adjusts to additions or deletions within the array.
By default, outgoing web requests are passed through CARP, but incoming web requests are not, although you can configure incoming requests to use CARP as well. You do this by editing the properties of the array and clicking the Resolve Requests Within Array Before Routing check box, as shown in Figure 5.10. FIGURE 5.10
Enabling CARP for incoming web requests
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating Arrays 291
While this might be of interest to you if you’re publishing from the internal network to the Internet through ISA Servers, in most instances it’s not going to be useful to you. Let’s walk through Exercise 5.7, in which we’ll be setting up a set of several ISA Servers in an array. It’s quite easy, but some prerequisites are in order, and so steps 1 and 2 of the exercise hone in on the preemptory material while the rest of the exercise goes through the actual machinations. EXERCISE 5.7
Setting Up Multiple Servers in an ISA Array 1. Servers operating in an array need to be within a single Windows 2000 domain, and Active Directory must be installed and running. This, of course, implies that you’ve done tons of background work getting the network to this point. This single statement means that users and groups have been created in the Windows 2000 domain, that users are validating to the domain, and that all of the prerequisite Windows 2000 domain deployment work has already been done.
2. Determine your ISA design goals. Do they include caching of web hits? How about packet filtering? What about hosting of internal servers? What are the enterprise policies associated with the new servers?
3. Install your primary ISA Server hardware. This is probably the server that will hang out at the DMZ. Make it a beefy server, one with plenty of CPU horsepower and RAM. ISA is fully symmetricprocessing-aware, so it may be to your advantage to bring in a two-way or four-way computer. Note that you could certainly run this on a cluster server and/or NLB arrangement. This will be a Windows 2000 Server, Advanced Server (probably not DataCenter Server) with SP1 applied. Extend the AD schema, and allow enough time for the schema update to replicate to all DCs.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
292
Chapter 5
■
Configuring ISA Server for the Enterprise
EXERCISE 5.7 (continued)
4. Install the ISA Server software, making it an array instead of a stand-alone computer.
5. Configure your enterprise policies. Set your caching levels. Set up your packet filters, report jobs, and alerts. Turn on Intrusion Detection. Test the new deployment from outside and from within.
6. Next, set up your additional array members. You won’t need to extend the schema again—once is enough. When prompted as to whether the computer is a stand-alone computer or an array member, select Array Member and point it to the name of the initial server.
7. Configure the array members and test the configuration. The array members will appear in the Servers list.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Creating Arrays 293
EXERCISE 5.7 (continued)
These seven seemingly elementary steps represent months of work on your part. It’s especially important to sit down and design your deployment with some thought as to what you expect out of the system. You’ll want to prepare a thorough project plan that denotes the steps you’ll need to take and the milestones that will allow others to recognize when you’ve accomplished major portions of the project.
Why ISA Server Arrays Using CARP Are a Better Setup than Earlier Arrays CARP uses a hashing algorithm to find the location of cached content. Earlier implementations of arrays of proxy servers using the Internet Cache Protocol (ICP) used query methodologies to find the content, thus slowing down the lookup.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
294
Chapter 5
■
Configuring ISA Server for the Enterprise
Also, because of the way ICP works, highly utilized URLs might be duplicated on several different proxy servers in the array. While you might at first think that this makes for faster lookups, you have no way of guaranteeing that the cached object returned to the client contains the freshest data. You also chew up disk space by having multitudes of duplicate entries within the array. CARP uses the ISA Server’s intra-array address, most typically the IP address of the ISA Server (although this address is configurable). Because CARP uses IP addresses for known array members, it doesn’t have to utilize peer-to-peer pinging as earlier array solutions do, thus speeding up the performance of the array.
Summary
I
n this chapter, we talked about packet filtering, the idea being that you filter out packets of a specific protocol type for a given port. You can choose to dynamically filter out the packets—that is, detecting a packet you destined for a port and dynamically closing or opening that port based upon whether you’ll allow the packet or not. Understand that dynamic packet filtering requires more CPU cycles to accomplish and thus requires heavier capacity servers than a server that uses straight packet filtering. Regular packet filtering simply disallows or allows packets of a given type destined for a given port. The most common examples are allowing SMTP packets destined for port 25 (Internet e-mail packets) and disallowing incoming ICMP (ping) packets on any port. We also discussed access policies. You can have very tight granular control over who’s allowed in, who’s allowed out, and, even more important, what’s allowed in or out. You accomplish this through access policies, protocol rules, site and content rules, routing rules, and bandwidth limiting. ISA Server can (and should) function as a router alongside its capacity as an access limiter.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
295
Finally, we talked about how you can create ISA Server arrays. The computers you’re using in your ISA Server array must join a single Windows 2000 domain in order to be array members. You can use array members to balance your web caching, to create a hierarchical webcaching methodology, to provide a single enterprise policy, or to provide array policies across different array members. You need to use ISA Server Enterprise Edition to set up your arrays. The Cache Array Routing Protocol (CARP) uses a hashing algorithm to locate where requested URL data is located on array members and is faster and less error-prone than earlier array methodologies.
Key Terms
B
efore you take the exam, be certain you are familiar with the following terms: Synchronization/Acknowledgment (SYN/ACK) packet
ICMP (Internet Control Message Protocol)
Cache Array Routing Protocol (CARP)
fragment filters
Client Access Policy
node
cluster
primary IP address
cluster node
packet filter
dedicated IP address
routing rules
dynamic packet filtering
Reset (RST) packet
firewall chaining
SOCKS
H.323 filter
User Data Protocol (UDP)
Copyright ©2001 SYBEX, Inc., Alameda, CA
Network Load Balancing (NLB)
www.sybex.com
296
Chapter 5
■
Configuring ISA Server for the Enterprise
Exam Essentials Be able to create packet filters, access policies, and routing, bandwidth, protocol, and site and content rules. The heart and soul of ISA Server are the rules and how they’re formulated. Understand when you’d want packet filters and when you’d want access, routing, and bandwidth policies. Understand what’s important about site and content rules and how they differ from protocol rules. Understand how to create packet filters, routing rules, bandwidth rules, protocol rules, site and content rules, and access policies and why you’d use them. It’s important to understand when you’d use one item over the other. For example, protocol rules might allow internal clients to use only FTP download and not full FTP. Site and content rules might restrict certain sites right from the start, with third-party web content filtering added on. Understand why you’d use ISA Server in an array and how to create an array. Be able to assign an enterprise policy to an array. One of ISA Server’s most powerful features is its ability to be used in an array of ISA Servers. You need to know when you have a site that’s eligible to utilize an array and what you’d use an array for. Be able to configure multiple ISA Server computers using Network Load Balancing or CARP. Several questions on the test revolve around array members in a cluster. It’s important to understand how the two integrate and, on top of that, how clients integrate with the cluster. Pay special attention to subnetting and how it could potentially impact array members and their ability or inability to contact one another.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 297
Review Questions 1. You have a large Windows 2000 domain that is spread out over
several buildings within your company’s campus. All buildings are connected by fiber optic cable running at gigabit Ethernet (Gig-E) speeds with a home run to building A (see exhibit). There is a single connection to your ISP—everyone goes out through the same door to access the Internet. You set up an NLB ISA Server array using enterprise policies. Building D
Building C
DS3 Gig-E
Internet
Building B
Building A
You configure array member A with the set of protocol rules and filters you want to utilize. Users in Building A can access the Internet. Users in Buildings B, C, and D cannot. What could be the problem? (Select all that apply.) A. Administrators in the other buildings have set array policies that
are interfering with the enterprise policy. B. NLB host IDs are all the same. C. NLB array members B, C, and D have not yet had the primary IP
address configured. D. SecureNAT clients in buildings B, C, and D are not configured
correctly. E. The ISA Server isn’t plugged into a switch or hub.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
298
Chapter 5
■
Configuring ISA Server for the Enterprise
2. You have an ISA Server array set up in a four-building campus (see
exhibit). You’ve configured the array with an enterprise policy and have validated that users in buildings A, B, and C are able to access the Internet. However, users in building D cannot. What is the problem? Array member D
Array member C
10.1.1.17
10.1.1.16 DS3 Gig-E
Internet 10.1.1.13 Array member B
10.1.1.14 255.240.0.0
Array member A
A. The host ID is the same as that of one of the other servers. B. The server has not yet been configured with a primary IP
address. C. You need to change the IP address to 10.1.1.13. D. You need change the IP address to 10.1.1.32. 3. Looking at the Properties sheet below, which tab would you select to
allow ISA routing to resolve requests for incoming packets? A. Outgoing Web Requests B. Performance C. Security D. Incoming Web Requests E. Policies F. General
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 299
4. You have an ISA Server array set up and are using a basic set of
packet filters for the array. However, users are not able to access Internet sites (see exhibit). What should you do to correct the problem?
A. Add a protocol rule allowing all protocols access to all
destinations. B. Enable the packet filter. C. Create a site and content rule allowing all users access to all
sites. D. Create a routing rule that allows all destinations to retrieve data
directly from the destination.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
300
Chapter 5
■
Configuring ISA Server for the Enterprise
5. You are setting up a stand-alone ISA Server in your Windows 2000
domain. The ISA Server is dual-homed—one NIC is connected to the private network and one to the Internet. All users with the exception of the Marketing department are to use only the company’s intranet. How should you set up ISA so that only Marketing users are allowed onto the Internet? A. Create a client set that includes the Marketing department.
Create a site and content rule allowing all destinations for all but this client set. B. Create a client set that includes the Marketing department.
Create a site and content rule that allows this client set. C. Create a client set that includes the Marketing department.
Create a packet filter that allows this client set. D. Create a client set that includes the Marketing department.
Create a packet filter that allows all but this client set. 6. You’re configuring an ISA Server. You want to prevent internal users
from attempting to use Internet Relay Chat (IRC) to set up chat sessions over the Internet. What protocol(s) and rule(s) are required to prohibit this activity? A. Site and content rule B. Packet filter C. Protocol rule D. Routing rule 7. You have an ISA Server array of three computers situated in three
different buildings on your campus—buildings A, B, and C. You’ve enabled the enterprise policies (see exhibit). Now you’re trying to create a packet filter, but are only allowed to create Deny filters (see dialog box). What could be the problem?
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 301
Array member C
10.1.1.3 DS3 Gig-E
Internet 10.1.1.2 Array member B
10.1.1.1 Array member A
A. Array policies are not allowed to override the enterprise policy. B. The enterprise policy allows only Deny filters. C. All packet filters must be configured at the enterprise policy level. D. Packet filters being configured at the array policy level can only
be Deny filters.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
302
Chapter 5
■
Configuring ISA Server for the Enterprise
8. When configuring IP packet filters in an array, which options do you
have for how the filter will be applied to the array members? (Choose all that apply.) A. Filter will be applied to all array members if an enterprise policy
is in place. B. Filter will be applied only to the array member on which the
filter is being created. C. Filter will be applied to all array members. D. Filter will be applied to any one array member. 9. Amy is creating a packet filter on her stand-alone ISA Server that
will allow all incoming or outgoing SMTP traffic on port 25. Only after she finishes creating the filter does she notice that Bertrand, her administrative counterpart, has created a packet filter that denies all incoming or outgoing SMTP traffic on port 25. Which filter will the system use? A. Neither filter will be used—they cancel out one another. B. The Deny filter will be used. C. The Allow filter will be used. D. This cannot happen in ISA Server. 10. You are setting up a four-server ISA array that is going to be utilized
in a network of 8,000 users located in two buildings that are side by side. All servers will reside in the same server room. You want users to have the fastest Internet access possible while making sure that the servers are highly available. What should you do? A. Configure the array in an NLB cluster. B. Configure the array in an NLB cluster and use CARP. C. Configure the array using CARP. D. Configure the array in an NLB cluster, use CARP, and configure
the array for dynamic content.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 303
11. You recently built a two-member ISA Server array. You set up the
array so that only the enterprise policy and no array policies can be used (see exhibit). Users are not able to access the Internet. What could be the problem? (Two elements are required to complete this answer. Select two answers.)
A. You need to create packet filters that allow all protocols at all
times. B. You need to create a protocol rule that allows all protocols to all
destinations. C. You need to create a site and content rule that allows all users
access to all sites. D. You need to create a routing rule that allows users to retrieve
requests directly from all destinations. E. You need to make sure the host IDs are not the same. 12. Sarah has a network that suffers from a slow infrastructure. She has
set up a bandwidth-limiting rule so that when users are utilizing the system, ISA doesn’t bring the network to its knees with bandwidth demands. However, the rule doesn’t seem to be working. What could be the problem? A. Packet filters are not in place. B. Bandwidth limiting has not been enabled. C. Routing rules have not been applied. D. Protocol rules have not been created.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
304
Chapter 5
■
Configuring ISA Server for the Enterprise
13. Montgomery has an ISA Server array in place, with array members
in each of three somewhat geographically distant sites contained within a single Windows 2000 domain. The administrators in these sites want to be able to set up their own policies but seem unable to do so. What could be the problem? A. Montgomery needs to enable array policies. B. Montgomery has configured the array to use an enterprise policy. C. The external admins have not yet configured access policies. D. The array is used for caching only. 14. Leah is trying to set up her ISA Server array so that her internal web
servers can publish to the Internet, but she is unable to accomplish her task (see exhibit). What is most likely the problem?
A. ISA array members cannot publish. B. The array has not been enabled to publish. C. An access policy is overriding the publishing. D. A routing rule is prohibiting the web servers from publishing to
the Internet. Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 305
15. You are configuring a new ISA Server array. You want the
Marketing group to be able to hit any site on the Internet, while all other users are allowed access only to corporate-approved sites. You set up the site and content and protocol rules in addition to other configuration options (see exhibit). A user from the Marketing department soon tells you that she’s unable to access a secure site. What could be the problem?
A. SSL listeners are not activated. B. The user requires a firewall client to be installed. C. You don’t have client sets set up for site and content rules. D. This user is in the group that’s not allowed to hit certain sites
and in the Marketing group as well.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
306
Chapter 5
■
Configuring ISA Server for the Enterprise
16. Alejandro is trying to set up an ISA Server array, but when he
attempts to attach the second ISA Server to the array, he is unable to do so. What could be the problem? (Select all that apply.) A. He is using ISA Server Standard Edition. B. He is attempting to set up an array in an NT 4 domain. C. The second member of the array is in a different Windows 2000
domain. D. Network Load Balancing has not yet been installed. E. The Active Directory schema has not yet been extended. 17. You have an ISA Server array (see exhibit). You’ve configured your
ISA Server array’s enterprise policy with some specific Allow and Deny packet filters, as shown in the following Properties sheet, but you’ve noticed that users in building C are able to perform some functions that you had specifically set up your deny packet filters to prevent. What could be the problem? Array member D
Array member C
10.1.1.4
10.1.1.3 DS3 Gig-E
Internet 10.1.1.2 Array member B
10.1.1.1
Array member A
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 307
A. Packet filters are available only through array or server
properties. B. You have not yet enabled packet filtering. C. Packet filtering is handled through protocol rules in enterprise
policies. D. You’ve not forced packet filtering on the array. 18. You’re working with your new ISA Server array alongside a
co-administrator partner. Your partner has configured the array enterprise policies (see Properties sheet in the exhibit). You’re configuring a bandwidth rule for your entire campus—you call it Campus All (see second graphic in the exhibit). In testing, when you implement Campus All at level 1, users cannot access the Internet. However, when you disable the bandwidth rule, everyone gets in just fine. What could be the problem?
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
308
Chapter 5
■
Configuring ISA Server for the Enterprise
A. Array policies are overriding the enterprise policies. B. The Default rule is firing before the Campus All rule is allowed
to fire. C. The schedule is set to allow entry only during the evening. D. A default client set has not yet been created. 19. You have been given the charge to install an ISA Server array by
your management. The expected outcomes are as follows: ■
All users will be able to use ordinary Internet protocols to access the Internet, excluding the ability to download files using FTP.
■
You will control the array from a centralized control point.
■
You will restrict usage over the weekend.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 309
■
■
You will enable Intrusion Detection and prohibit pinging of the ISA Servers. The array will allow for URL caching and will distribute the cache among several servers. What steps must you take in order to develop this array?
A. Create the array using only enterprise policies. Use the default
schedule. Enable Intrusion Detection. B. Create the array using enterprise and array policies. Set up a
bandwidth rule and use the Work Hours schedule. Enable Intrusion Detection and disable the ICMP packet filters. Set up a protocol rule that disallows FTP downloads. Set up CARP. C. Create the array using enterprise and array policies. Set up a site
and content rule and use the Work Hours schedule. Enable Intrusion Detection and disable the ICMP packet filters. Set up a protocol rule that disallows FTP downloads. Set up CARP. D. Create the array using enterprise and array policies. Set up a site
and content filter and use the Work Hours schedule. Enable Intrusion Detection and create a protocol rule that disables incoming ICMP. Set up a protocol rule that disallows FTP downloads. Set up CARP. 20. You’re installing ISA Server on a computer that’s a Windows 2000
domain controller. What security level would you likely pick for this computer? A. Limited Services B. Dedicated C. Firewall D. Secure
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
310
Chapter 5
■
Configuring ISA Server for the Enterprise
Answers to Review Questions 1. A, C, D. In a complicated NLB + ISA array configuration, you have
several variables that you need to be concerned about. Among them is the actual configuration of the NLB cluster itself: Have you denoted the correct host IDs? Is the subnet mask correct for each NLB configuration entry? Have you denoted a primary IP address? Are port rules interfering? SecureNAT clients must have their default gateways set to the intra-cluster address of the NLB array. Administrators could potentially augment your enterprise policies with their own array policies, thus potentially hindering users from accessing the Internet. Then again, your own rules and filters could be hindering things as well. 2. C. The key to this question is in the subnet mask. A 240 mask
provides for 16 networks of 16 different address ranges. 10.1.1.17 falls into the second range and won’t work with the subnet mask we’re using. Changing the address to 10.1.1.13 should fix the problem. 3. D. Recall that, by default, ISA routing does not route incoming web
requests—there’s no need to if you’re not publishing web content from your internal network out to the Internet. But, if you decide to enable routing on the ISA Server and you are publishing, you’d edit the properties of the array in question, navigate to the Incoming Web Requests tab, and click the Resolve Requests Within Array Before Routing button. 4. B. The DNS lookup filter isn’t enabled, thus disallowing users from
hitting sites in which they must resolve a hostname. The only sites that users could hit in a scenario such as this are sites that use an IP address instead of a hostname. 5. B. To restrict users from Internet sites, you need a site and content
rule. However, since the only users allowed to utilize the Internet are people in the Marketing department, you have to somehow restrict the access. You do this by setting up a client set that includes only members from the group Marketing and then setting up your site and content rule.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 311
6. C. You need only a single rule, a protocol rule, to meet this
requirement. Note that the rule would have various configuration complexities associated with it—things such as schedule, protocol or protocols to deny, and the types of clients that are denied this access. 7. D. The key to this question is in the exhibits. In the diagram, you’re
told that array policies are allowed. However, when you look at the dialog box, you can see that you’re trying to configure an array policy instead of an enterprise policy. In an ISA array where array policies are allowed, they can be only of a Deny type; hence the Allow button is grayed out. 8. C, D. When setting up IP packet filters, regardless of whether an
enterprise policy is in place or not, you have the choice of applying the packet filter to all array members or any one array member of your choice. 9. B. This can indeed happen in ISA Server. The most-restrictive rules
are always utilized, so all SMTP traffic going into and out of port 25 will be denied. 10. D. It is possible to use CARP on a multi-node NLB ISA Server array.
CARP is responsible for maintaining fast URL lookups on ISA array members. NLB balances load across servers in an array. By scheduling dynamic content downloads, you’ve made the user Internet experience as fast as possible while maintaining a highavailability paradigm. 11. B, C. The enterprise policy doesn’t include any default site and
content or protocol rules. Begin by creating a “vanilla” site and content rule that allows all users access to anything, as well as a “vanilla” protocol rule that allows all protocols. Then narrow your scope to the appropriate level of security refinement your site must maintain. 12. B. In order to utilize bandwidth-limiting rules, you must enable
them by editing the Properties sheet of the Bandwidth Rules node.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
312
Chapter 5
■
Configuring ISA Server for the Enterprise
13. B. When Montgomery configured the array, he set it up so that an
enterprise policy is to be used without the proviso that array policies could also be used. Thus, the external admins are unable to create their own policies. To begin to allow the outside admins to do their thing, he only needs to edit the properties of the array and check the Allow Array-Level Access Policy Rules That Restrict Enterprise Policy check box. 14. B. When setting up an ISA Server array, you can opt to publish or
not publish. Leah can fix the problem by editing the array’s Properties sheet and checking the Allow Publishing Rules check box. 15. A. In order for SSL to work in this environment, the SSL listeners
must be enabled to listen in on the ISA default port of 8443. If the user were in a different group in addition to the Marketing group, the fact that she was in the Marketing group would give her access to secure sites. 16. A, C, E. NLB is not required in order to set up an array, but ISA
Server can work with NLB to load-balance arrays. The other things listed are definitely items that Alejandro should think about when attempting to solve this problem. 17. D. By leaving that little Force Packet Filtering On The Array check
box unchecked, coupled with allowing array policies to restrict enterprise policy, you’ve opened the door for the disabling of packet filters that you may have wanted enabled. Whether accidentally or on purpose, evidently someone in building C has disabled your packet filters. 18. C. In this case, the mistake is pretty obvious. Your partner has
configured the enterprise Weekday schedule in such a way that evenings are allowed, days are not. Note that in an array that allows enterprise array policies in addition to local array policies, you can have a schedule that is enterprise-specific as well as array-specific, so troubleshooting calendars could get a little bit difficult.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 313
19. D. While there’s a lot of work to do to meet these fairly basic
requirements, ISA Server makes it easy. You need to set up a site and content rule that limits all users to work hours. (Note that you may want to visit the enterprise Work Hours settings to make sure they’re correct for your environment). You also want to enable Intrusion Detection as well as create a protocol rule that disables incoming ICMP requests. While you’re creating a protocol rule for ICMP, you’ll also want to create a rule that disallows FTP downloads. Finally, you’ll set up CARP for cache balancing across the array. 20. A. The Limited Services security level is intended to be used by
domain controllers and infrastructure servers. Dedicated requires a stand-alone computer. Secure is intended for computers that are running databases or applications along with ISA Server. There is no Firewall security level, though ISA Server is certainly a firewall.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
6
Client Access MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ✓ Plan the deployment of client computers to use ISA Server services. Considerations include client authentication, client operating system, network topology, cost, complexity, and client function. ✓ Configure and troubleshoot the client computer for secure network address translation (SecureNAT). ✓ Configure the client computer’s Web browser to use ISA Server as an HTTP proxy.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
T
his chapter is probably one of the most important ones that you’ll read if you’re preparing for the ISA Server test. ISA Server supports several clients, so it’s important to have a clear grasp on what the client is, what it is and is not capable of, and how to implement the client. While the test objectives for this chapter appear to be fairly straightforward, the client issue is clouded with things such as autodetection of ISA Servers (covered in Chapter 8, “Troubleshooting ISA Server”), backward compatibility with MS Proxy Server 2.0 clients, and the persistent question of when to go with the SecureNAT client and when to use the Firewall client. So, we’ve got a bit of digging to do—important digging—let’s get going!
Supported Client Types
Out of box, ISA Server supports three clients: Secure Network Address Translation (SecureNAT), the Firewall client, and the Web proxy client. There’s also one tagalong client that’s a remnant of older MS Proxy Server 2.0 deployments, a client that can also play in the sandbox with ISA Server: Winsock Proxy client. Let’s look at each of these in detail.
Secure Network Address Translation Client The Secure Network Address Translation client is the easiest to configure because you simply change the computer’s default gateway information to reflect the address of the internal interface of the ISA Server. If you’re working on a routed subnet, instead of pointing each computer’s default
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Supported Client Types 317
gateway to the address of the ISA Server, you add a route in the router that points to the ISA Server’s internal interface for any Internet-bound packets. Figure 6.1 illustrates the difference in the two methods. FIGURE 6.1
Two different ways of pointing SecureNAT clients to an ISA Server Router contains address to internal interface of ISA Server. Client default gateway remains unchanged.
In this case, the DHCP server's scope can be adjusted to reflect the new default gateway address. ISA Server
Subnet A
Subnet B
Router
Client
Client
Subnet C Client DHCP server In this case, the DHCP server's scope can be adjusted to reflect the new default gateway address.
In the figure, you can see a client in Subnet A. This client has to go through a router in order to connect with the ISA Server’s internal interface. You would not make this client’s default gateway the address of the ISA Server; instead, you’d key a helper address into the router that routed requests for ISA Server to the address of its internal interface. Typically, an internetworking expert involved with your company’s routers would do this work, but in smaller companies the person who runs the servers may be the same person who runs the infrastructure, including the routers. In Subnet B, you can see that this client is on the same subnet as the ISA Server’s internal interface, so it’s okay to simply point the client’s default gateway to this address.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
318
Chapter 6
■
Client Access
In Subnet C, the DHCP scope is modified to reflect the new default gateway of the ISA Server. Because you modify the default gateway locally to the client, you don’t have to worry about addresses in routers. Intuitively, you can probably tell that the SecureNAT client will work on almost any computer as long as the client computer has as its default gateway an address that will get it to the ISA Server’s internal interface. That’s a tremendous advantage. Setting up the SecureNAT client is quick and easy.
In some literature, you’ll see the SecureNAT client referred to as the S-NAT client. They’re one and the same.
There are a couple of disadvantages to using the SecureNAT client, though, one minor and one very major. The minor disadvantage is that SecureNAT clients cannot take advantage of any web caching until such time as you enable a filter called the HTTP Redirector filter. The major disadvantage is that SecureNAT clients cannot take part in any user or group activity you’ve set up on the ISA Server. For example, you cannot create a site and content rule that includes SecureNAT clients. Access controls are implemented through the IP address rather than through user or group accounts. If you can tell that there will be difficulty with implementing SecureNAT clients because your clients require some sort of authentication when utilizing web protocols, then configure the client to also be a Web proxy client (talked about below). In other words, if you have a web application that’s going to require some sort of authentication, consider either making the client a Web proxy client or running both SecureNAT and Web proxy.
Firewall Client This client supports all Winsock protocols and has to be physically installed on the client computer. Go to a client computer, choose Start ➣ Run, and in the Run text box type \\ISA_Server_Name\, where ISA_Server_Name is the name of your ISA Server. You’ll be presented with the shares your ISA Server has, similar to the ones shown in Figure 6.2. Open the mspclnt folder to reveal the setup files shown in Figure 6.3. Alternatively, simply run the client setup from a browser by publishing the Default.htm page in the Webinst folder to your intranet.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Supported Client Types 319
Users will click the Firewall Client Software hyperlink, shown in Figure 6.4, to begin installation. FIGURE 6.2
The result of browsing out to an ISA Server through Start ➣ Run
FIGURE 6.3
Contents of the mspclnt folder of the ISA Server
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
320
Chapter 6
■
Client Access
FIGURE 6.4
The web installation method of installing the Firewall client—note the Firewall Client Software hyperlink
The Firewall client installation will populate the client computer with a set of folders containing the client code, along with some configuration files such as msplat and mspclnt. These configuration files are created by the configuration work that you do within the ISA Management console and shouldn’t be directly edited. The Firewall client supports user- and group-based policies, thus providing heavily increased access-control granularity. It also provides support for almost any application protocol available—key things like Internet Relay Chat (IRC), RealPlayer streaming multimedia, Microsoft NetMeeting, and other apps. If there’s an app out there that the Firewall client doesn’t know about, all you have to do is find out what protocol the app is using and what port it occupies, and then simply create a protocol rule for the new application. The Firewall client has two disadvantages. First, someone or some process has to visit each box and install it. You can do this by sending a
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Supported Client Types 321
pointer to setup.bat through e-mail, referencing it in a logon script, sending an SMS package, or sending a package through Active Directory. Or you can simply visit each PC and install the dang thing. Visiting each PC could be problematic if you have thousands of PCs to worry about. Second, the Firewall client doesn’t work with Windows 3.x clients. It will work on Windows 95 OSR2, 98, Me, NT 4.0, 2000, and XP. Microsoft supplies an Installer-based package named MS_FWC.MSI with which you can utilize SMS or Active Directory and Windows 2000’s Software Installation and Maintenance facilities to send users the package.
To set up a silent command-line installation of the Firewall client using the Windows Installer, use this command string: MS_FWC.MSI \setup /v” /qn”. (Quotes must be included.)
I guess I’d ask why you would still have Windows 3x boxes hanging around since Microsoft is dropping support for its younger brother, Windows 95 (thus putting you not one but two version levels behind the curve). But that’s for another place and another time. If you have access to the MS Proxy Server 2.0 installation CD, you can run the old Winsock Proxy client installation from it to provide support for your Windows 3.x users. Alternatively, you can simply turn them into SecureNAT clients.
Web Proxy Client This client is designed to interface directly with the browser. Open up IE 5, navigate to Tools, and then select Internet Options. On the Connections tab of the Internet Options dialog box, choose LAN Settings, and you’ll see a dialog box similar to the one in Figure 6.5. In order to configure the browser as a Web proxy client, you simply click the Use A Proxy Server check box and then point the browser to the address of the internal interface on the ISA Server.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
322
Chapter 6
■
Client Access
FIGURE 6.5
Setting up a browser as a Web Proxy client
The client is limited to the standard Internet protocols: HTTP, HTTPS, FTP, and Gopher. There are some slight performance increases in client operation by virtue of setting up browsers as Web proxy clients. Web proxy supports user authentication, making it advantageous over SecureNAT. You could conceivably use this client on non-Windows systems, and it will work on non-IE browsers. We’ll talk more about how to implement the Web proxy client later on in this chapter.
Winsock Proxy Client You may well inherit this client as a throw-over from an MS Proxy Server 2.0 upgrade. We’ve already talked about some of its uses—namely utilizing the client for the support of Windows 3x clients. You can utilize
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Supported Client Types 323
legacy MS Proxy Server installations and the Winsock Proxy client in an MS Proxy Server 2.0/ISA Server environment for continuing IPX/SPX gateway capabilities.
The MS Proxy Server SOCKS protocol is not supported in ISA Server. There is no SOCKS client.
Yes, We Have No IPX. MS Proxy Server came about during the heady days of Novell NetWare. Since NetWare had a protocol that it utilized heavily, Internet Packet Exchange (IPX) (along with Sequenced Packet Exchange [SPX]), but the protocol of the Internet was standardized on TCP/IP, it made sense that Proxy Server would be given the ability to translate IPX packets into TCP/IP for IPX clients, thus giving those clients Internet access even though they were IPX-based. Very cool stuff. You obtained this functionality by installing the MS Proxy Server Winsock Proxy client on the client computer. NetWare has since gotten heavily into the TCP/IP world and no longer installs with IPX as its de facto protocol. However, in legacy NetWare environments, there may still be a proclivity toward IPX in-house. The bad news is that ISA’s Firewall client doesn’t support IPX. There are a couple of workarounds to this problem. First, you can keep a legacy MS Proxy Server around for backward compatibility. ISA Server can backwardly talk to MS Proxy Server 2.0, so there’s not an issue here, although you’ll have to put much more careful thought into your design. A much better idea is to get the NetWare servers and associated clients up on TCP/IP and then simply use the ISA Server Firewall client. I like this design because it level-sets all of your clients and your firewall server deployments.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
324
Chapter 6
■
Client Access
Deploying ISA Server Services to Client Computers
P
robably the largest part of your ISA Server installation is going to be getting your users pointed to the new ISA Server computer(s). Let’s face it— if you’re using the SecureNAT client, for example, you somehow have to visit each computer and change the client computer’s default gateway to match that of the ISA Server. It’s worse if you’re going with the full-blown Firewall client because you have to physically touch each computer to install a software component, or utilize some packaging methodology to send the client software to the client computer. There are methods to this madness, and we’ll discuss all these things in this and the succeeding chapter sections.
Plan the deployment of client computers to use ISA Server services. Considerations include client authentication, client operating system, network topology, cost, complexity, and client function. What considerations should you take into account when planning your client deployment? Below are some of the key points that should pique your interest as you go through an ISA Server design: Client authentication Client authentication may come into play if users have to utilize web protocols that require authentication. Remember that the SecureNAT client uses IP addresses and cannot authenticate. Client operating system The client’s OS has to be Windows 95 OSR2 or greater to support the Firewall client. Almost any client with a browser and TCP/IP can utilize the SecureNAT client, regardless of the operating system. Windows 3.x clients can utilize the old MS Proxy Server Winsock Proxy client or be set up as SecureNAT clients. Any HTTP CERN 1.1–compliant web browser can be utilized as a Web proxy client.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Deploying ISA Server Services to Client Computers 325
CERN stands for The European Laboratory for Particle Physics—a Geneva, Switzerland–based physics lab that was instrumental in developing the World Wide Web portion of the Internet.
There’s some sketchiness as to whether the AOL browser is CERN 1.1– compliant. All other browsers that are less than three or four years old will certainly work. Network topology The way that the network is structured has a lot to do with the kind of client you’ll pick. Have routers and subnets? Then you’ll need to work with your internetworking buddies to get the helper addresses keyed into all of the routers so that the SecureNAT and Web proxy clients work. Firewall clients don’t have this requirement. Name resolution is also important. Web proxy clients that have a NetBIOS name or FQDN keyed into the proxy server settings must be able to resolve that name to an IP address, which means that your name-resolution servers must know about the ISA Server(s). Cost The cost of deploying the client is very intriguing and will be an interesting number to any of the stakeholders of your project. How much will it cost, for example, to send four PC technicians to install the Firewall client on several hundred computers? Is that expense too much to bear, over and above the capabilities that the Firewall client brings to your enterprise? What about the cost, in days, that it will take to modify your DHCP configuration settings so that the new default gateway is changed to the ISA Server? You can’t just make a default gateway change to the DHCP settings and imagine that all clients will instantly get the new setting. It takes time for DHCP to age out and refresh—the default in Windows 2000 is eight days (in Windows NT three days), and some sites have this set to no age limit. If you intend to deploy the SecureNAT client, you can do so through DHCP scopes, but modifying those scopes and then getting users to pick up the new default gateway could present some problems.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
326
Chapter 6
■
Client Access
Complexity The SecureNAT client is the least complex to introduce. Modify your router helper addresses for external subnets, change your default gateway for subnets internal to the ISA Server, and you’re good to go. But you get a reduced functionality along with that—so there’s a trade-off. More complex is the introduction of the Firewall client— although there are ways to get the client simply and easily deployed. Most complex is the Web proxy client because you have to figure out a way to upgrade each browser. Again, there are ways, and we talk about auto-configuration in this chapter and in Chapter 8. Client function What will the client be able to accomplish once it’s installed? In most cases, the answer is probably simply to surf the Web using the standard suite of web protocols. But you may require far more intelligence than that. For example, perhaps part of your training goals is to download over the Web a “talking head” form of distance learning, and the vendor supplying this training uses RealPlayer. The SecureNAT client may not be able to accomplish this because of an authentication requirement. You’d have to employ the Firewall client to implement this feature. Remember that SecureNAT’s weakness is its inability to participate in user or group authentication.
How Soon Do You Go from Basic Web Users to Webcentric Users? Products such as Exchange 2000 and SharePoint Portal Server are likely to change the way that your users see the Web and the way that you manage your ISA Server. For example, external clients can contact internal Exchange 2000 Servers through a front-end/back-end server scenario and touch base with information stores that can utilize very different protocols. SharePoint Portal Server (SPS) has the capability of “serving up” various kinds of content—everything from e-mail to heterogeneous applications that are being run through BizTalk Server and presented to the portal as XML code. In both Exchange 2000 and SPS, clients can utilize native Office XP tools to collaborate with one another and work on documents.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring and Troubleshooting the Client for Secure Network Address Translation 327
It’s not inconceivable that your internal users may one day soon use Office XP to grab a document over another company’s SPS server, work on it, and then publish it back again. Your ISA Server client planning must allow for this kind of eventual connectivity. What does this mean from a client perspective? It means that the Web is gradually becoming the general store where everybody gathers round and does business. The good old days of your users surfing out to Nasdaq.com for a stock report and nothing more are going away fast, my friend.
Configuring and Troubleshooting the Client for Secure Network Address Translation
B
y far the most popular choice for your deployment will probably be the Secure Network Address Translation (SecureNAT) client. It’s easy to deploy because you need only modify the client computer’s default gateway. But as we’ve seen above, there’s more to it than that. This section examines configuring and troubleshooting the client computer for SecureNAT.
Configure and troubleshoot the client computer for secure network address translation (SecureNAT).
Single Subnet Installations In networks where there is only one subnet and you don’t have to worry about routers, the SecureNAT client will work fine, as long as you need no additional application protocol support apart from what you configure in the rules. Simply navigate to the computer’s TCP/IP settings dialog box and change the default gateway to match that of the internal interface of the ISA Server. Your work will be even easier if you make your ISA Server’s
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
328
Chapter 6
■
Client Access
IP address that of the firewall server it is replacing. Note that you can make SecureNAT clients out of any OS that has a browser it can run. Any rules you’ve configured for the firewall will work for the SecureNAT client. You cannot use users or groups to provide added granularity to your rules when working with SecureNAT clients.
Multiple Subnet Installations In installations where you have multiple subnets separated by routers (or Layer 3 switches) and you wish to use the SecureNAT client, you’ll have to supply a forwarding address (sometimes called a helper address) in the routers in order to direct packets sent from computers on the remote subnet to the Internet to the internal interface on the ISA Server. There will be no need to adjust the client computers on these subnets because the helper address handles the redirection; however, if you personally don’t handle the routers, then you’ll have to work with your internetworking department to get this done. Turning your Windows clients into Firewall clients can eliminate the problem of having subnets separated by routers. If you have a subnet that’s on the same subnet as the ISA Server’s internal interface, then you’ll have to make each client on this subnet a SecureNAT client. There will be no routers to work with, so you’re stuck figuring out a way to change each client’s default gateway to match the internal interface of the ISA Server. Alternatively, you can install a DHCP server at each subnet. Then, when it comes time to install the computers on a given subnet as SecureNAT clients, all you have to do is modify the default gateway. You can also accomplish this task by installing a single DHCP server in the home subnet and DHCP relay agents in the remote subnets. Or you can enable the forwarding of BootP requests across the routers. DHCP is broadcast-oriented and uses BootP to pass requests.
DHCP Installations Dynamic Host Configuration Protocol (DHCP) allows you to pass TCP/IP configuration information such as default gateway, primary and secondary DNS servers, WINS servers, name-resolution search order, and other information to clients. DHCP clients obtain an IP address and associated configuration information in the form of a lease from a DHCP server.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring and Troubleshooting the Client for Secure Network Address Translation 329
Windows clients attempt to renew their lease at 50 percent of the elapsed lease lifetime. If the lease is set to expire in eight days, the client will try to renegotiate after four days and will continue until the lease is renegotiated or the time span has elapsed and the client can no longer get a lease. After setting the new scope IP configuration information, your challenge is to get all computers on the network that need the new info to shut down and restart. When the computers restart, they’ll grab the new configuration info. There are some difficulties here—it’s tough to get users to shut down their computers, so you’ll have to be creative in order to get this done. Also, if the scopes are nearly full (which they shouldn’t be if you’ve implemented TCP/IP correctly), you could have users left out in the cold who previously had IP information and were unable to get a new lease at startup time.
Troubleshooting the SecureNAT Client Installation The SecureNAT client installation, when not working, can be very easy to troubleshoot—or it can be very difficult. If you have to resort to helper addresses in the routers and the router farm is fairly complex, then you could run into some problems getting the SecureNAT client going. That being said, however, keep in mind that users had a default gateway prior to your coming in with the new ISA Server, and it, too, probably had to have helper addresses, so there is a light at the end of the tunnel—you’ll just have to do some minor tweaking somewhere. If you must rely on the internetworking team to get the addresses configured for you, remember that they’re extremely busy people and so it may take some time to work out the problem. You could also run into problems with the configuration at the ISA Server itself. Check the network configurations on each interface to make sure they’re correct. Ascertain that the ISA Server has as its DNS address the location of your ISP’s DNS server. Client problems should not be too difficult to troubleshoot if you’ve already established connectivity with the ISA Server and tested it. Perhaps the client somehow had its default gateway information changed manually and someone fat-fingered the subnet mask while changing it. If the client obtained its configuration information from DHCP, then give the scope(s) a good look to make sure they’re configured correctly. Check the client’s browser to make sure it isn’t pointed to a bogus proxy server address.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
330
Chapter 6
■
Client Access
The Case of the Hosed Subnet Mask I once had the experience of working with a company that had offices in many different locations across the U.S. This company had plans to convert the entire network to a 10.xxx.yyy.zzz addressing scheme but had not gotten around to it yet. So most sites were on a public Class B network. We were doing a Microsoft Systems Management Server (SMS) installation and were troubled because even though we had purposely excluded one of the company’s sites from the SMS site boundaries, we were nevertheless seeing SMS clients appear in the inventory from that site. The problem was that the engineers at this site were extremely adamant that SMS should not run on their workstations, and yet it managed to show up anyway. They were not happy about it! It turned out that this site and the main site where I worked shared a subnet, but we had utilized a standard Class B subnet mask (255.255.0.0) while the other site had a less-standard mask (255.192.0.0). The theory was that the two sites were independent of one another (except for any router work, of course). Unfortunately, if you did the binary math, you’d find that the remote site happened to be sharing the same network ID as the main site, so they really weren’t separated at all! Things had gone on this way for years and had created some strange issues that no one could solve because they had always assumed that both sites were separated by a unique subnet-masking scheme. SMS found it right away, though, and clients were able to install the SMS client and give us an inventory—something we did not want from this site. It took a while to convince the internetworking folks that this was happening. They were contractors who were working on an enterprise-wide conversion to the “ten-dot” network, and although they finally came to realize what was up, they didn’t do anything about it for a long time. Thus, the problem stayed the way it was. The moral of the story is that if you’re performing a subnet-bysubnet rollout of the SecureNAT client over ISA Server, you may
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring a Client Computer Web Browser to Use ISA 331
inadvertently wind up allowing more people to access the server than you’d realized—perhaps even some people who shouldn’t be allowed to access the Internet! It pays to take some time and figure out the TCP/IP addressing scheme for the enterprise and whether it’s being followed to the letter of the law.
Configuring a Client Computer Web Browser to Use ISA
T
oday’s e-age has brought about the advent of the browser and with it the very cool concept of portal software and intranets. It’s vital that you understand how a web browser interfaces with ISA Server, partly because that’s what ISA’s all about—getting users to the Internet—but also because once you understand the technology, you can utilize it in your Internet/ portal/intranet/extranet designs.
Configure the client computer’s Web browser to use ISA Server as an HTTP proxy.
A client that uses a browser to access the ISA Server is called a Web proxy client. With this client you get the basic web protocols of HTTP, HTTPS, FTP, and Gopher. For all intents and purposes, you can disregard Gopher because it’s hardly used anymore.
Web Browser Configuration (HTTP Proxy) There are four ways that you can install and configure an Internet Explorer web browser to use the Web proxy client: manually, through the Internet Explorer Administration Kit (IEAK), through an IE package delivered by a systems management product such as SMS, or through an
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
332
Chapter 6
■
Client Access
automatic configuration pushed out by the ISA Server. Let’s talk about each method in this section: Manually As we said earlier, if you go into IE 5, choose Tools ➣ Internet Options, navigate to the Connections tab, and click the LAN Settings button, you can key in an address for a proxy server. You can also opt to set the browser to bypass the proxy for local addresses. In a manual web proxy configuration, you’ll key in the name or address of the ISA Server’s internal port; in the Port text box, type in 8080 for the port that ISA’s listening on for Web traffic. You’ll also want to check the Bypass Proxy Server For Local Addresses check box. Clicking the Advanced button allows you to key in different ports for various protocols or keep the port the same for all protocols. Look once more at the Local Area Network (LAN) Settings screen, shown in Figure 6.6, where you key a proxy server address into IE 5.5. Figure 6.7 shows Netscape 6.1’s proxy settings dialog box. You get there by choosing View ➣ Preferences from the main Netscape window. FIGURE 6.6
The LAN Settings configuration screen of IE 5
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring a Client Computer Web Browser to Use ISA 333
FIGURE 6.7
Adjusting Netscape 6.1’s proxy settings
You can also set up IE so that it obtains automatic configuration information from the ISA Server by running a configuration script from the ISA Server. Look at the Automatic Configuration section of Figure 6.6. Check the Automatically Detect Settings and Use Automatic Configuration Script check boxes, and then in the Address text box, key in http://Server_Name:8080/array.dll?Get.Routing.Script, where Server_Name is the name of your ISA Server. Also check the Use A Proxy Server check box, and in the Name text box, key in http://Server_Name and enter 8080 in the Port text box. You can opt to check the Bypass Proxy Server For Local Addresses check box as well. SMS package If you’re using a systems management product such as Microsoft SMS, Novell ZENworks, IBM’s Tivoli, or Computer Associate’s Unicenter, you could set up an IE package that points to the ISA Server as the proxy server and then send it to the client group you want to install.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
334
Chapter 6
■
Client Access
Internet Explorer Administration Kit You can also prepare a customized browser installation of Explorer 5.5 using the IEAK (see www.microsoft.com/windows/ieak). Once you’ve created a customized IE package, you can then either install it via a logon script or SMS package or install it manually. IEAK has no methodology of its own to push the browser customization out to users, but it does allow you to put some controls on the browser. Automatic configuration of Web proxy clients DHCP and DNS servers can be configured with a special entry called the Web Proxy Autodiscovery Protocol (WPAD). This entry allows clients to seek out an ISA Server using either DHCP or DNS and automatically obtain configuration information. You’ll find coverage of WPAD in Chapter 8, where we include exercises to show how to configure WPAD within both DHCP and DNS, as well as how to enable the ISA Server for client autodiscovery. Only Windows 2000, 98, Me, and XP clients can make use of this capability; Windows 95 and NT clients cannot. The bottom line to all of this is that you must figure out a way to update all client computers that will use the Web proxy client. If you decide to install the Firewall client, you can make an adjustment that allows the Firewall client installation to also automatically update the client’s web browser with proxy server configuration information. We’ll talk more about that in the next section. You should consider installing the Web proxy client alongside the Firewall client because of the increased performance users will get when they surf the Internet. You should also consider installing the Web proxy client wherever you plan on doing SecureNAT installations as well, for the same reason.
Firewall Client Configuration Configuration of the Firewall client can happen through WPAD entries in your DHCP and DNS servers, just as it does with your Web proxy clients. Prior to deploying the Firewall client, you can go into the ISA Server Management console and perform configuration adjustments for your site. We’ll use Exercise 6.1 to walk through the basics of this configuration effort.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring a Client Computer Web Browser to Use ISA 335
EXERCISE 6.1
Modifying the Configuration Properties of the Firewall Client 1. In the ISA Server Management console, navigate down to the Client Configuration node.
2. In the Details pane, right-click the Firewall client and select Properties. The General tab of the Firewall Client Properties dialog box appears.
3. Check the Enable ISA Firewall Automatic Discovery In Firewall Client check box.
4. Click OK to finish. The Firewall client software component will now be enabled to automatically discover the ISA Server denoted in the name or address list referenced in the Properties sheet. The Firewall client will use this server to connect to the Firewall service. Note that a WPAD entry could direct the client to a different ISA computer for configuration information, yet when the configuration is done the client would use the server referenced in the Properties sheet to connect to the Firewall service.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
336
Chapter 6
■
Client Access
But there’s more to it than that. We can also go forward with our configuration and provide even more granularity by enabling the Firewall client’s web browser at the same time we install the Firewall client. We’ll use Exercise 6.2 to show you how. EXERCISE 6.2
Setting Up the Configuration of the Firewall Client’s Web Browser 1. From the ISA Server Management console, navigate down to the Client Configuration node.
2. In the Details pane, right-click Web Browser and select Properties to bring up the General tab of the Web Browser Properties dialog box, shown below.
3. Check the Automatically Discover Settings check box to allow the client to discover and connect to ISA Servers in any location within the ISA infrastructure that it might be transported to. This discovery can happen by DNS or DHCP.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring a Client Computer Web Browser to Use ISA 337
EXERCISE 6.2 (continued)
4. Check the Set Web Browsers To Use Automatic Configuration Script check box. This check box is needed and especially beneficial when you have set up a distributed web cache, using the Cache Array Routing Protocol (CARP) to distribute the URL cache evenly across a group of ISA Servers.
6. Click the Direct Access tab to bring up its Properties sheet. This tab controls the list of computers that the Web proxy client will directly access rather than going through the ISA Server.
7. Click the Backup Route tab to bring up its Properties sheet. This area allows you to stipulate where the Web proxy client should check if the initial ISA Server is not available. When the connection becomes unavailable, requests are automatically redirected to the machine listed in the Backup Route section. This adds a measure of redundancy and fault-tolerance to your system.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
338
Chapter 6
■
Client Access
EXERCISE 6.2 (continued)
8. Click OK to exit the Web Browser Properties screen.
Generally speaking, the order in which you’ll go about setting up your clients is as follows: 1. Install ISA Server. 2. If you’re going to use the SecureNAT client, then you must add
helper addresses to the routers. 3. Install the HTTP Redirector filter. 4. Configure the firewall and web browser client components. 5. Update DNS and DHCP with WPAD information.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Configuring a Client Computer Web Browser to Use ISA 339
6. Select the client installation method and the types of clients you
know you’ll install. 7. Install your clients and test them.
There are a couple of things that you need to be aware of with respect to the Firewall client configuration: ■
■
If the HTTP Redirector filter is enabled and authentication is required for some reason, then the Firewall client may be presented with an authentication dialog box even though it’s already authenticated. When the Firewall client is passed through the HTTP Redirector, the authentication information is discarded. If you configure a backup route for Web proxy clients, as shown in Exercise 6.2, step 7 above, you need to be aware that the ISA Server service on the backup computer must be listening on port 80, not port 8080, for the failover to work. This has to do with the way that the client software thinks of the backup computer.
Configuring the HTTP Redirector Filter You’ll use the HTTP Redirector filter for the purpose of allowing your SecureNAT and Firewall clients to utilize the web cache. They cannot do so without the HTTP Redirector filter. Here are the steps for verifying that this filter is enabled:
1. In the ISA Management console, navigate to the Extensions node and then to Application Filters.
2. The Details pane should reveal several pre-configured filters, most of which are enabled by default (including the HTTP Redirector filter).
3. Double-click the HTTP Redirector Filter icon to bring up its Properties sheet.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
340
Chapter 6
■
Client Access
4. Note the Redirect To Local Web Proxy Service radio button on the Options tab. If this button is selected, then SecureNAT and Firewall client requests are directed to the web cache in addition to the Web proxy client requests.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Summary 341
A couple of items might seem misleading from those available in the Options tab of the HTTP Redirector Filter Properties page. If the Send To Requested Web Server radio button is selected, then you’re saying to ISA Server that you never want SecureNAT and Firewall clients to access the Web Proxy service for HTTP requests. The wording of this radio button doesn’t really seem to imply that, does it? Nor does the next radio button, Reject HTTP Requests From Firewall And SecureNAT Clients. This radio button prevents SecureNAT and Firewall clients from accessing any HTTP content. The only way that these clients can access HTTP content is if their browsers are configured as Web proxy clients. In any case, clicking any one of the radio buttons automatically deselects the others, so you must make a choice regarding the HTTP Redirector filter. Probably the only modification you’ll want to make right away is to put a check mark in the If The Local Service Is Unavailable, Redirect Requests To Requested Web Server check box. This option is not checked by default, and if the Web Proxy service were to somehow stop operation, then the SecureNAT and Firewall clients could not get their HTTP requests satisfied until this service was restarted without this check box being checked.
Summary
In this chapter, we talked about clients—something that at first may seem to be a confusing and unwieldy topic in your ISA studies. There are three ISA Server clients: Firewall, SecureNAT, and Web proxy. Of these, the only “official” client, that is the only one that requires actual client software installation, is the Firewall client. But before you install it, you should pre-configure it by making any changes you desire to the firewall and web browser objects in the Client Configuration node of the ISA Management console. By modifying the web browser properties, you can set up the Firewall client so that it also becomes a Web proxy client. It does this by modifying the browser’s proxy server settings to point to the ISA Server’s port 8080 and referencing an automatic configuration script. You’ll also want to enable the ISA Server for automatic discovery within
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
342
Chapter 6
■
Client Access
the Firewall client object when you want to make the servers available through WPAD across the enterprise. That is, if you have various ISA Servers enterprise-wide and you want roving clients to be able to find an ISA Server and configure themselves, you’ll have to configure your DHCP and DNS servers with WPAD entries (discussed in Chapter 8), and you’ll have to enable this check box. This check box isn’t as important if you have only one ISA Server in the environment. You can install the Firewall client through a variety of methods: an Active Directory package using Windows 2000’s Software Installation and Maintenance features, an SMS package, a logon script, or even sending a reference to the installation EXE file through e-mail. There are two different installation executables: Setup.exe, available through the mspclnt directory of your ISA Server, and MS_FWC.MSI, a Windows Installer-based application that can take various switches in order to make it install quietly. There is also a web installation component—simply publish a hyperlink to mspclnt\webinst\default.htm and users can install the Firewall client from a browser. The SecureNAT client is the one that’s easiest to install, but hardest to touch all the clients. That’s because all you have to do is change the default gateway of each client. There are two ways to do so: If the clients are all DHCP clients, then you can simply modify the default gateway, and at lease-expiration time the clients will get the new gateway. But that’s the problem. Shortening the lease-expiration time to a point where you get all clients turned around quickly can be difficult. You can either shorten the lease times and wait for all clients to renew, or you can push a release/renew cycle to the clients and have users restart their computers. DHCP design might include a DHCP server on each subnet and a DHCP server at the main subnet, with superscopes and DHCP relay agents at the remote subnet or the forwarding of BootP requests through the routers. Alternatively, if clients are behind a firewall and on a remote subnet, you can simply include a helper address that points Internet requests to the ISA Server, thus negating any need to modify the clients’ default gateway but requiring modifications to the routers. We also talked about the Web proxy client. This is an easy one to configure because you merely update the client’s browser to reflect the new proxy server name and port. You can also enable the automatic discovery and downloading of configuration scripts. Then we discussed the MS Proxy Server Winsock Proxy client, which is roughly the equivalent the Web proxy client. ISA Server backwardly supports this client.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Exam Essentials 343
Finally, we talked about the HTTP Redirector filter, a filter that is enabled by default and allows SecureNAT and Firewall clients to access the ISA Server’s web cache.
Key Terms
B
efore you take the exam, be certain you are familiar with the following terms: BootP
Internet Relay Chat (IRC)
helper address HTTP Redirector filter
Sequenced Packet Exchange (SPX)
Internet Packet Exchange (IPX)
subnet
Exam Essentials Be knowledgeable about the types of clients supported by ISA Server. Understand their limitations and their strengths. Be familiar with the SecureNAT client and the methods you’ll have to use to deploy it in a multi-subnet environment. Know the differences between helper addresses in routers, BootP requests, and local DHCP servers or DHCP relay agents. Understand how to configure a web browser for web proxy interaction with the ISA Server. Also keep in mind the HTTP Redirector filter and how it plays in with the SecureNAT and Firewall clients. Be aware of the backward compatibility of the Microsoft Proxy Server 2.0 Winsock Proxy client. Also know how it takes its place in an ISA world. Be able to troubleshoot SecureNAT installation issues. Understand that the default gateway of a client computer needs to somehow direct Internet requests to the ISA Server and how that is affected by multiple subnet networks.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
344
Chapter 6
■
Client Access
Review Questions 1. You’re the administrator of a site with three campuses (see exhibit).
Each campus has its own DHCP server with a scope set up to give clients addresses leases for their subnet. Each subnet has a mixture of clients: Windows 3x, 9x, Me, NT, and 2000 Professional. You want to set up an ISA Server that will allow them to utilize the Internet for standard web activities (HTTP, HTTPS, and FTP). You want the client installation to be as quick and easy as possible. Which client should you install, and what steps should you take to get it installed and working?
DHCP Server Campus A ISA Server Campus C ISA Server Campus B
ISA Server
A. Install the Firewall client by putting a command in everyone’s
logon script to execute the client’s setup program. Then use WPAD to allow clients to autodiscover the ISA Server through DHCP and DNS. Add a rule in the ISA Server to allow all internal clients HTTP, HTTPS, and FTP access to all Internet sites. B. Change the DHCP scope’s default gateway to point to the ISA
Server. Add a rule in the ISA Server to allow all internal clients HTTP, HTTPS, and FTP access to all Internet sites. C. Create a custom IE browser whose proxy server address and
automatic configuration information point to the ISA Server. Distribute through logon scripts, AD or SMS packaging, or some other method. Add a rule in the ISA Server to allow all internal clients HTTP, HTTPS, and FTP access to all Internet sites.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 345
D. Modify the Client Configuration screen in ISA Server to include
the autoconfiguration of the Firewall clients’ browsers. Install the Firewall client by putting a command in everyone’s logon script to execute the client’s setup program. Add site and content rules and protocol rules in the ISA Server to allow all internal clients HTTP, HTTPS, and FTP access to all Internet sites. Configure the HTTP Redirector filter. 2. You have a single network site (see exhibit) of 50 computers in
which you want to add an ISA Server. There is currently no protection for your connection to the Internet except that your internal clients are using a reserved network ID and the router is NAT-ting the addresses. Users will use the ISA Server for Internet access only. What client should you use and how will you get it installed and configured?
Client computer Campus A
ISA Server
A. Install the Firewall client through a manual process; configure
the computers individually as you install. B. Modify the clients’ web browsers to use the ISA Server as their
proxy server and configure the autoconfiguration text box of IE 5’s LAN Settings area with the autoconfiguration URL of the ISA Server. C. Use the Client Configuration node to enable automatic
installation of the Web proxy client. Install the Firewall client manually. Configuration occurs automatically. D. Manually change each client computer’s default gateway to the
internal interface of the ISA Server.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
346
Chapter 6
■
Client Access
3. You’re in the process of installing a two-node ISA Server array, one
server in Campus A and one in Campus B (see exhibit) running in a Windows 2000 forest. The campuses are separated by 100 miles but are connected by a fiber optic circuit and routers. Each campus has a DHCP server. Campus A has about 200 users, Campus B about 400. Client requirements are to be able to send and receive Internet e-mail and to browse out to websites. You want clients in Campus A to utilize its ISA Server and clients in Campus B to utilize its ISA Server. What client will you install and how will you install it?
Router
Client computer
ISA Server
Router
Client computer ISA Server
Campus A
Note: Routers connecting network with ISP are not shown for clarity.
Campus B
A. Install the Firewall client. Use WPAD entries so the clients find
their appropriate ISA Server. Send users an e-mail that has as an attachment the MS_FWC.MSI file with appropriate switches to create a silent installation. Create appropriate rules to support the type of access the clients need. B. Install the Firewall client. Use WPAD entries so the clients find
their appropriate ISA Server. Send users an Active Directory package that includes the MS_FWC.MSIMSI file with appropriate switches to create a silent installation. Create appropriate rules to support the type of access the clients need. C. Install the Firewall client. Use WPAD entries so the clients find
their appropriate ISA Server. Modify the Client Configuration nodes to support autoconfiguration of the Firewall clients’ web browsers. Send users an e-mail that has as an attachment the MS_FWC.MSI file with appropriate switches to create a silent installation. Create appropriate rules to support the type of access the clients need.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 347
D. Install the Firewall client. Use WPAD entries so the clients find
their appropriate ISA Server. Modify the Client Configuration nodes to support autoconfiguration of the Firewall clients’ web browsers. Send users an Active Directory package that includes the MS_FWC.MSI file with appropriate switches to create a silent installation. Create appropriate rules to support the type of access the clients need. 4. You’re setting up an ISA Server in your single-campus, single-subnet
network. All 500 clients are running the Firewall and Web proxy clients. You’ve set up rules that allow for SMTP, HTTP, HTTPS, and FTP traffic through the firewall. You’ve configured and enabled the HTTP Redirector filter to allow Firewall clients’ access to the Web Proxy service in order to be able to utilize the URL cache. No Firewall client user is able to access the Internet. What could be the problem? A. The website is using a protocol that you’re not allowing through
the firewall. B. The HTTP Redirector filter is blocking authentication. C. You have anonymous authentication turned off on the
ISA Server. D. The external interface’s address is in the LAT. 5. You’re the administrator of a heterogeneous network that includes
Linux, Macintosh, and Windows clients. You want to install an ISA Server to act as a firewall on your network and for users to access the Internet. All 250 clients are on the same subnet. What client or clients should you use at deployment time? A. Firewall B. Firewall and Web proxy C. Web proxy D. Firewall and SecureNAT E. SecureNAT
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
348
Chapter 6
■
Client Access
6. You’re the administrator of a two-campus network (see exhibit)
connected by fiber optic cable and routers. Each campus has its own subnet. The two campuses are 500 meters apart. Clients in both campuses get their DHCP information from a single DHCP server in Campus A. Currently, you have an older firewall product running on the network, but you want to replace it with ISA Server. You intend to perform a straight switch-out with the new to the old. Your users need to receive and send Internet e-mail using Microsoft Outlook with Exchange Server as well as to go out to the Internet. What client should you utilize and how will you deploy it?
Internet Client computer
ISA Server
Router Client Campus B
Router
DHCP server Campus A
Note: Routers connecting network with ISP are not shown for clarity.
A. Install the SecureNAT client. Create protocol rules and site and
content rules to handle user requirements. B. Install the SecureNAT client. Adjust DHCP scopes. Create
protocol rules and site and content rules to handle user requirements. C. Install the Firewall client. Adjust the DHCP scopes and add
WPAD entries. Create protocol rules and site and content rules to handle user requirements. D. Install the Firewall client. No other adjustments are necessary.
Create protocol rules and site and content rules to handle user requirements. E. Install the Web proxy client. Adjust the DHCP scopes and
WPAD entries. Create protocol rules and site and content rules to handle user requirements. F. Install the Web proxy client. Adjust the DHCP scopes. Create
protocol rules and site and content rules to handle user requirements.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 349
7. You’re the administrator for an international software development
company. You have offices in London, New York, Tokyo, and San Francisco (see exhibit). Each office has about 1000 users, a server farm dedicated to that office’s operations, a DHCP server and scope dedicated to that office, and an administrator. All clients are Windows-based, with the exception of some test machines that are used for Linux development. You have two separate connections to the Internet—one in Tokyo, one in New York. All offices are connected by a high-speed (44Mbps) WAN circuit. You are implementing an ISA Server array of two servers, one at each Internet demarc. Users need to receive and send Internet e-mail, utilize a special protocol developed by your company for Internet collaborative efforts, and utilize the Internet using standard Internet protocols. What client or clients should you install and how will you install them? ISA Server
New York 172.17.x.y
London 172.18.x.y
DHCP server San Francisco 172.16.x.y
DHCP server
DHCP server
Internet
DHCP server
ISA Server
Tokyo 172.19.x.y
A. Install the Firewall and Web proxy clients (as configured by the
Client Configuration node for the Firewall client). Modify the DHCP scopes to include new default gateways. Use the automated method to deploy the Firewall client. Set up protocol rules and site and content rules to handle the proprietary company protocol, SMTP, HTTP, HTTPS, and FTP. B. Install the Firewall and Web proxy clients (as configured by the
Client Configuration node for the Firewall client). Modify DHCP scopes to include the WPAD entry. Use the automated method to deploy the Firewall client. Set up protocol rules and site and content rules to handle the proprietary company protocol, SMTP, HTTP, HTTPS, and FTP.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
350
Chapter 6
■
Client Access
C. Install the Firewall and Web proxy clients (as configured by the
Client Configuration node for the Firewall client). Modify the DHCP scopes to include new default gateways (if necessary) and WPAD entries. Use the automated method to deploy the Firewall client. Set up protocol rules and site and content rules to handle the proprietary company protocol, SMTP, HTTP, HTTPS, and FTP. D. Install the Firewall and Web proxy clients (as configured by the
Client Configuration node for the Firewall client). Modify the DHCP scopes to include new default gateways (if necessary) and WPAD entries. Use the automated method to deploy the Firewall client. Set up protocol rules and site and content rules to handle the proprietary company protocol, SMTP, HTTP, HTTPS, and FTP. Configure Linux computers to use the Web proxy client. 8. You’ve set up your ISA Server and have configured all 100 users
on your network to use the SecureNAT client. User requirements are very basic: receiving and sending of Internet e-mail using the Outlook client with Exchange Server and utilizing the Internet for basic web services. Users are not able to access the Internet, nor can they receive any e-mail. When looking at the ISA Management console, you see the following screen (see exhibit). What could be the problem? (Choose all that apply.)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 351
A. Protocol rules have not yet been established for client
connectivity. B. Site and content rules have not yet been created for client
connectivity. C. Packet filters have not yet been created for client connectivity. D. The SecureNAT clients’ default gateway has not yet been
configured. 9. Which clients can make use of the HTTP Redirector filter?
(Select all that apply.) A. Firewall B. Web proxy C. SecureNAT D. None of the above E. All of the above 10. What client would you install if you wanted to set up your telecom-
muting users who will utilize the ISA Server VPN components to access the private network? A. SecureNAT B. Firewall C. Web proxy D. None of the above E. All of the above 11. You are planning your ISA Server deployment. Your plans include
the following: support for H.323, NetMeeting, and Instant Messaging (IM); giving users the ability to utilize the Internet; sending and receiving of Internet e-mail; and distance learning utilizing a streaming protocol. Your users are all Windows 2000 Professional users in a Windows 2000 Server Active Directory environment. You have one site, 500 users, and one subnet. What client or clients will you use and how will you deploy them?
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
352
Chapter 6
■
Client Access
A. Configure the Web proxy client in the Client Configuration
node to allow for autoconfiguration. Add a WPAD entry to the DHCP and DNS servers. Modify each client’s browser to point to the internal interface of the ISA Server and include the autoconfiguration script address. Create the site and content rules and protocol rules needed. B. Configure the Web proxy client in the Client Configuration node
to allow for autoconfiguration. Publish the Firewall client through Active Directory. Add a WPAD entry to the DHCP and DNS servers. Create the site and content rules and protocol rules needed. C. Configure the Web proxy client in the Client Configuration node
to allow for autoconfiguration. Publish the Firewall client through Active Directory. Create the H.323 gateway, and create the site and content rules and protocol rules needed. D. Configure the Web proxy client in the Client Configuration
node to allow for autoconfiguration. Publish the Firewall client through Active Directory. Modify each client’s browser to point to the internal interface of the ISA Server and include the autoconfiguration script address. Create the H.323 gateway, and create the site and content rules and protocol rules needed. 12. You have a three-campus site (see exhibit). There are no routers
in between the connecting points in the sites. The campuses are connected with fiber optic cable. You’ve installed an ISA Server and configured it so that users can access the Internet and send and receive Internet e-mail. You’ve decided that the SecureNAT client will be the client you’ll utilize on this network. Users in Campus B and Campus C, however, cannot access the Internet and are complaining of that and the fact that they cannot get Internet e-mail. What could be the problem? (Select all that apply.)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 353
Note: Routers connecting network with ISP are not shown for clarity. Client 172.65.x.y DHCP server 255.192.0.0 Campus C Client 172.0.x.y DHCP server 255.192.0.0 Campus A
Client Internet
172.129.x.y DHCP server 255.192.0.0 Campus B
ISA Server
A. The SecureNAT client doesn’t support Internet or e-mail access. B. You’ve not yet configured the HTTP Redirector filter. C. You don’t have a router between sites. D. The LAT does not include all of the subnets. 13. You have a three-campus site (see exhibit). The campuses are
connected with fiber optic cable and routers. You’ve installed an ISA Server and configured it so that users can access the Internet and send and receive Internet e-mail. You’ve decided to utilize the SecureNAT client on this network. Users in Campus B and Campus C, however, cannot access the Internet and are complaining of that and the fact that they cannot receive Internet e-mail. What could be the problem? (Select all that apply.) Note: Routers connecting network with ISP are not shown for clarity. Router
Client 172.65.x.y DHCP server 255.192.0.0 Campus C
Client 172.0.x.y DHCP server 255.192.0.0 Campus A
Client 172.129.x.y DHCP server 255.192.0.0 Campus B
Copyright ©2001 SYBEX, Inc., Alameda, CA
Internet ISA Server
www.sybex.com
354
Chapter 6
■
Client Access
A. The site and content rules don’t contain a client set or sets for
the other campuses. B. The protocol rules don’t contain the proper protocols. C. The Local Area Table doesn’t contain entries for the other
subnets. D. The routers do not contain helper addresses for the default
gateway. E. The IP packet filters are not configured correctly. 14. You have a three-campus site (see exhibit). The campuses are
connected with fiber optic cable and routers. You’ve installed an ISA Server array member in each campus and configured them so that users can access the Internet and send and receive Internet e-mail through the Outlook client and Exchange Server. You also want clients to utilize a local URL cache. Clients are all Windows 9x, Me, NT, or 2000 Professional. What client would you opt to install and how would you install it? Note: Routers connecting network with ISP are not shown for clarity. Client ISA Server DHCP server 172.65.x.y Campus C 255.192.0.0
Router
Client 172.0.x.y DHCP server 255.192.0.0 Campus A
Client ISA Server DHCP server 172.129.x.y Campus B 255.192.0.0
Internet ISA Server
A. Install the Firewall client by using the Active Directory package.
Configure the Client Configuration node for the Web proxy client to include autoconfiguration. Enable and configure the HTTP Redirector filter. Set up the appropriate site and content rules and protocol rules.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 355
B. Install the Firewall client by using the Active Directory package
or other methodology. Configure the Client Configuration node for the Web proxy client to include autoconfiguration. Enable and configure the HTTP Redirector filter. Set up the appropriate site and content rules and protocol rules. C. Install the SecureNAT client. Set up the appropriate site and
content rules and protocol rules. Ascertain that the default gateway for all clients points to the internal interface of ISA Server or to the appropriate routing authority. Enable and configure the HTTP Redirector filter. D. Install the Web proxy client. Configure DHCP and DNS to
support WPAD entries for autoconfiguration. Set up the appropriate site and content rules and protocol rules. 15. You have a three-campus site (see exhibit). The campuses are
connected with fiber optic cable and routers. You’ve installed an ISA Server array member in each campus and configured them so that users can access the Internet. Users in Campus A and Campus C will utilize their respective local connection to the Internet. Users in Campus B should access the Internet through Campus A’s Internet connection. You also want clients to utilize a local URL cache. Clients are all Windows 9x, Me, NT, or 2000 Professional. You opt to utilize the SecureNAT client. Users in Campus B are unable to access the Web. What could be the problem? Note: Routers connecting network with ISP are not shown for clarity.
Internet
Client ISA Server DHCP server 172.65.x.y Campus C 255.192.0.0
Router
Client 172.0.x.y DHCP server 255.192.0.0 Campus A
Client ISA Server DHCP server 172.129.x.y Campus B 255.192.0.0
Copyright ©2001 SYBEX, Inc., Alameda, CA
Internet ISA Server
www.sybex.com
356
Chapter 6
■
Client Access
A. You have not yet configured the HTTP Redirector filter on
Campus B’s ISA Server. B. Campus B’s subnet has not yet been keyed into Campus A’s LAT. C. Your site and content rules do not allow Campus B to
participate. D. Your protocol rules do not allow Campus B to participate. 16. In the past, you’ve used the Internet Explorer Administration Kit
(IEAK) to develop a customized browser that your users are now utilizing. You’re now augmenting your edge firewall server with an ISA Server in order to bring web filtering to the network so you can prevent users from surfing out to undesirable sites. The old and new setups are shown in the exhibit. Unfortunately, the IEAK browser is hard-wired in the proxy server section to point to the old firewall. How do you solve this problem and get client browsers pointed to the new proxy server address?
Internet
Non-MS firewall server External: 113.12.1.22 Internal: 172.16.1.1
Note: Routers connecting network with ISP are not shown for clarity.
Client ISA Server 172.16.1.13
A. Rerun the IEAK to create a new proxy server entry. Re-deploy it
to the users. B. Swap addresses with the third-party firewall’s internal interface. C. Set up WPAD in the DHCP and DNS servers for auto-
configuration information for Web proxy clients. D. Deploy the Firewall client.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 357
17. Of the clients listed below, which one is backward-compatible with
Microsoft Proxy Server 2.0? A. Firewall B. Web proxy C. Winsock Proxy D. SecureNAT 18. You’re the administrator of a two-campus, 150-user network owned
by a software development company (see exhibit). One campus consists of engineers who utilize Linux computers with the Netscape browser as well as Windows 2000 Professional computers with Internet Explorer. The other consists of the business office, which utilizes strictly Windows 2000 Professional and IE. The two campuses are connected by gigabit Ethernet switches and a fiber optic cable and are on the same subnet. The DHCP server is in Campus A. Clients need access to the ordinary suite of web protocols as well as the ability to send and receive Internet e-mail through the Outlook client and Exchange Server. What client or clients will you use and how will you install it/them?
Internet ISA Server
Note: Routers connecting network with ISP are not shown for clarity.
Linux client Windows 2000 client
Windows 2000 client DHCP server Campus A
Campus B
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
358
Chapter 6
■
Client Access
A. Install SecureNAT and Web proxy clients for both platforms.
Use manual installation. Create the protocol rules and site and content rules needed. B. Install SecureNAT and Web proxy clients for Campus B and
the Firewall client for Campus A. Use manual installation for Campus B, automated installation for Campus A. Create the protocol rules and site and content rules needed. C. Install SecureNAT and Web proxy clients for Campus B.
Manually install the Firewall client with the Web proxy client for Campus A. Create the protocol rules and site and content rules needed. Enable the HTTP Redirector filter. D. Manually install the SecureNAT client for both platforms. Create
the protocol rules and site and content rules needed. 19. You’re the administrator of a two-campus, 150-user network owned
by a software development company that develops Internet-based virtual collaboration software utilizing a proprietary protocol. One campus consists of engineers who utilize Linux computers with the Netscape browser as well as Windows 2000 Professional computers with Internet Explorer. The other consists of the business office, which utilizes strictly Windows 2000 Professional and IE. (See exhibit.) The two campuses are connected by gigabit Ethernet switches and a fiber optic cable and are on the same subnet. The DHCP server is in Campus A. Clients need access to the ordinary suite of web protocols as well as the ability to send and receive Internet e-mail through the Outlook client and Exchange Server. What client or clients will you use and how will you install them?
Internet ISA Server
Linux client Campus B
Copyright ©2001 SYBEX, Inc., Alameda, CA
Windows 2000 client DHCP server Campus A
Note: Routers connecting network with ISP are not shown for clarity.
www.sybex.com
Review Questions 359
A. Use SecureNAT and Web proxy clients for Campus B. Use the
Firewall client with the Web proxy client for Campus A. Do a manual installation. Create the protocol rules and the site and content rules needed. Enable the HTTP Redirector filter. B. Use SecureNAT and Web proxy clients for Campus B. Use the
Firewall client for Campus A. Do an automated installation for both campuses. Create the protocol rules and the site and content rules needed. C. Use SecureNAT and Web proxy clients for both platforms. Do a
manual installation. Create the protocol rules and the site and content rules needed. D. Use SecureNAT client for both platforms. Do a manual
installation. Create the protocol rules and site and content rules needed. 20. You’re the administrator of a two-campus, 150-user network owned
by a software development company. One campus consists of engineers who utilize Linux computers with the Netscape browser. The other consists of the business office, which utilizes strictly Windows 2000 Professional and IE. (See exhibit.) The two campuses are connected by gigabit Ethernet switches and a fiber optic cable and are on the same subnet. The DHCP server is in Campus A. Clients need access to the ordinary suite of web protocols as well as the ability to send and receive Internet e-mail through the Outlook client and Exchange Server. What client or clients will you use and how will you install them?
Internet ISA Server
Linux client Campus B
Copyright ©2001 SYBEX, Inc., Alameda, CA
Windows 2000 client DHCP server Campus A
Note: Routers connecting network with ISP are not shown for clarity.
www.sybex.com
360
Chapter 6
■
Client Access
A. Use SecureNAT and Web proxy clients for Campus B. Use the
Firewall client with the Web proxy client for Campus A. Do an automated installation. Create the protocol rules and the site and content rules needed. Enable the HTTP Redirector filter. B. Use SecureNAT and Web proxy clients for Campus B. Use the
Firewall client with web proxy autoconfiguration for Campus A. Do a manual installation for both campuses. Create the protocol rules and the site and content rules needed. C. Use SecureNAT and Web proxy clients for both platforms. Do a
manual installation. Create the protocol rules and the site and content rules needed. D. Use SecureNAT and Web proxy clients for both platforms. Do a
manual installation. Create the protocol rules and the site and content rules needed.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 361
Answers to Review Questions 1. D. The Firewall client is not only the easiest client to install through
automated methods, it’s also the most encompassing because you can include automatic browser configuration as well. There’s no need for messy IEAK work here. You don’t need autodiscovery and WPAD set up because you’ll be using only a single ISA Server. If you configure the HTTP Redirector filter, both the Firewall and the Web proxy client can take advantage of cached URL content. As always, you need rules that allow the transfer of these protocols through the firewall. Remember that at installation time, the firewall is closed for business. 2. B. Since the clients aren’t going to be taking part in SMTP e-mail
(at least according to the requirements given above), you needn’t concern yourself with the additional functionality that a Firewall client might bring. While A and C would work, they’re overkill for the requirements that have been set down. Simply modify the browsers to point to the ISA Server’s internal interface, and while you’re in there, add the autoconfiguration URL as well. 3. C. The trick with this question is that you’re probably lulled into thinking “AD…package…MS_ISA.MSI….” But what you’re not told
is which platforms you’ll be installing the clients on. You cannot send an AD package to anything other than Windows 2000 Professional or Server computers, so if you have Windows 9x, Me, or NT clients in your forest, even if they are capable of running the Installer, you can’t send the package. You’re stuck with some other method. In this case, since you’re not using SMS (why not?), you’ll have to resort to some other method. E-mail attachments are probably one of the easiest ways to go with something like this. The only change that might make the process smoother is to leave the MSI file where it is and simply e-mail a hyperlink to it instead.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
362
Chapter 6
■
Client Access
4. B. The Firewall and SecureNAT clients can access the Web Proxy
service and make use of the URL cache as long as you’ve installed ISA Server in integrated mode and you’ve configured and enabled the HTTP Redirector filter. But in order to make the firewall work with this configuration, you must configure a site and content rule on the firewall that allows anonymous access. If this rule is not in place, then Firewall clients will not be presented with an authentication dialog box, nor will they be able to get out onto the Internet. 5. C. Users are only going to access the Internet. There is no mention
made here of any other requirements that would demand the installation of other clients. Because the Web proxy client isn’t one that you “officially” install on a computer—rather it simply represents the configuration of the client’s browser to access the ISA Server— then the only thing you should have to worry about is browser compatibility on the various OS platforms. 6. B. You already know that DHCP between campuses is working okay
because users are utilizing it. This implies that BootP is enabled on the routers, which works very well with your ISA deployment plans. You don’t need to do any tricky stuff with the DHCP scopes. You’re also told in the description that you’re doing a switch-out— presumably you’ll keep the same IP address, thus negating any issues might have with the default gateway. Thus, your only real job in this case is to create the SMTP, HTTP, HTTPS, and FTP rules that you require in order to enable Internet access. You could also create site and content rules in order to keep users from certain restricted sites, if you so desired, or implement some third-party web-filtering software. 7. D. From a design perspective, this is a complicated scenario, but not
too confusing. You’ll want a Firewall client for your users, so you can bypass configuring the default gateway in DHCP. (This case, of course, assumes good-quality, working name-resolution services.) You configure the Web proxy client in the Client Configuration node of the ISA Management console to go along with the Firewall client. Configure DHCP with the WPAD entries so clients can find their home ISA Server. Adjusting the default gateway isn’t necessary.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 363
Set up the rules. Adjust your Linux browsers to point to the new proxy servers. By the way, because we’re obviously dealing with a Windows 2000 network here (because this is an array), the “automated method to deploy the Firewall client” we use could well be an Active Directory package—depending, of course, on the type of Windows clients we have. 8. A, B. You’re missing the protocol rules and site and content rules to
make the system work. ISA Server is, by default, set to be a closed door. It won’t open until you create the rules to open it. Answer D isn’t valid because we’re presuming that the phrase “have configured all 100 users on the network to use the SecureNAT client” means that the default gateway has already been set. 9. A, C. The HTTP Redirector filter is used to allow the Firewall and
SecureNAT clients to utilize the Web Proxy service of ISA. One benefit of using this filter is that these clients can utilize the URLcaching component of ISA Server. However, remember that there’s an authentication issue with the Firewall client and the HTTP Redirector filter. If a rule is set that does not allow anonymous authentication, then the Firewall client will not be allowed out on that protocol and the client will not be prompted with an authentication dialog box. 10. D. The ISA Server clients are intended for internal use—clients that
want to use the firewall for Internet access. A VPN client would not need to be configured with any ISA client in order to utilize an extranet connection through ISA to the internal network. 11. C. With client configurations, you can get confused about the com-
plexity of the situation at hand. For example, we’re told in this case that Active Directory is installed and that all of the clients are Windows 2000 clients—so pushing the Firewall client installation through Windows 2000 Software Installation and Maintenance is a pretty nifty way of getting the application installed on computers. The specialized protocol shouldn’t throw you. All you need to know is the protocol or protocols that the app uses, along with its port number; if there isn’t a protocol rule available for it, then you can
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
364
Chapter 6
■
Client Access
create it. Neither should the H.323 part stump you. Enabling the H.323 gateway is a piece o’ cake. (The H.323 gateway is covered in Chapter 3.) If you have outside parties who want to use IM or NetMeeting using the H.323 gateway, you simply make a rule that allows these protocols in the door. Setting up the autoconfiguration in the Client Configuration node is a great idea because the client becomes a Web proxy client as well. Any missing components? Perhaps the HTTP Redirector filter, though there are some authentication issues that may make you decide not to use it—especially in this more rarefied atmosphere. 12. C, D. These sites are in subnets that cannot talk to one another
without benefit of a router. The localized DHCP server is able to get the client its TCP/IP configuration information, but there is no way that Campus B can connect with computers in Campus C without benefit of a router or Layer 3 switch. SecureNAT is not a good choice for such a deployment, first because of the router problem and then because of the helper address problem, were you to install routers. The Firewall client won’t work in this environment either, because it wouldn’t have name-resolution capabilities and therefore could not access the ISA Server by name. Your solution in this case is to either change the subnets so they are all within the same network ID, add routers, or add Layer 3 switches. And even if all the above design worked, you’d still have an issue if you did not make sure that the proper subnets were entered into the LAT. 13. A, B, C, D. Answers A and B are possible considerations. However,
it would be more beneficial to look at C and D first, as these are the most likely areas to find the lack of connectivity. Remember that the SecureNAT client uses the client’s default gateway to get where it’s going. If you already have another default gateway, in the form of a router or firewall device, and you add an ISA Server, then you need to figure out how to make sure that clients point to the “new” default gateway and that the ISA Server, in turn, sends packets to the existing default gateway.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 365
14. B. The one hitch in the process here is the fact that users want to be
able to send and receive Internet e-mail through their Outlook client, not through their browser. If this constraint were not in place, you could simply use the Web proxy client. Instead, you would probably want to consider the full-blown suite of the Firewall client coupled with its matching Web proxy client and configured through the Client Configuration node of the ISA Management console. Remember that your protocol rules will need to stipulate anonymous access as a part of the authentication required for each protocol because of the HTTP Redirector filter not recognizing Firewall client authentication credentials. 15. C, D. Let’s think about this. The HTTP Redirector filter is used to
allow Firewall and SecureNAT clients access to the Web Proxy service, mostly for the purpose of accessing the URL cache. So answer A would have nothing to do with why users can’t access the Web, only that their surfing experience wouldn’t be as fast as it might if they were able to use the web cache. Also, simply by virtue of the fact that Campus B has an array member, we know that its subnet is in the local LAT. So, we have a problem with one of the rules, most probably because we’ve created a client set that doesn’t include Campus B’s users. 16. A. You’re stuck with this problem. You either have to rerun the
IEAK to develop a brand-new customized browser that points to the ISA Server as its proxy address, or you should consider making the clients Web proxy clients instead and use the ISA feature set to help you. 17. B. The Web proxy client is backward-compatible with Microsoft
Proxy Server 2.0. The Winsock Proxy is a Microsoft Proxy Server 2.0 client. 18. A. Both browser types can utilize proxy settings and the
autoconfiguration of browser settings from an ISA Server. The Internet e-mail SMTP stipulation will require the SecureNAT client as well. Manual installation will work fine in this case, as the number of nodes is minimal.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
366
Chapter 6
■
Client Access
19. C. The proprietary protocol should not throw you off, in terms of
what kind of client to select. You’ll still use the SecureNAT client along with the Web proxy client for your network. The only difference now is that you’ll create a unique protocol rule (or rules) for the proprietary protocol that your company is using. The client requirement is very basic, so these two easy-to-configure clients will work for you. Since you have a DHCP server that is local to both campuses, you shouldn’t have to worry about installing the full-blown Firewall client. 20. D. This is an easy client-configuration issue. Netscape will easily
utilize custom proxy settings. We’re assuming that the Linux clients are using an e-mail client that can utilize SMTP for Internet e-mail. You’ll manually configure the clients. Create the site and content rules and the protocol rules as needed for Internet access.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
7
Performance Tuning and Optimization of ISA Server MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ✓ Analyze the performance of ISA Server by using reports. Report types include summary, Web usage, application usage, traffic and utilization, and security. ✓ Optimize the performance of the ISA Server computer. Considerations include capacity planning, allocation priorities, and trend analysis. ■
Analyze the performance of the ISA Server computer by using Performance Monitor.
■
Analyze the performance of the ISA Server computer by using reporting and logging.
■
Control the total RAM used by ISA Server for caching.
✓ Monitor security and network usage by using logging and alerting. ■
Configure intrusion detection.
■
Configure an alert to send an e-mail message to an administrator.
■
Automate alert configuration.
■
Monitor alert status.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using System Monitor
W
indows NT 4 called its performance-benchmarking utility Performance Monitor. In Windows 2000 Server, it’s called System Monitor. Both are essentially the same tool with only a few minor enhancements in the Windows 2000 version. You can bring up either one by simply choosing Start ➢ Run and then typing in the command Perfmon. In Windows NT 4’s case you’ll get Performance Monitor, but in Windows 2000’s case you’ll get System Monitor, as shown in Figure 7.1.
Note that on the ISA Server test, this utility will be referred to as Performance Monitor or possibly as Performance Tool, even though in the Windows 2000 world it’s called System Monitor. They’re one and the same.
Optimize the performance of the ISA Server computer. Considerations include capacity planning, allocation priorities, and trend analysis. ■
Analyze the performance of the ISA Server computer by using Performance Monitor.
■
Control the total RAM used by ISA Server for caching.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using System Monitor 369
FIGURE 7.1
The System Monitor screen
ISA Server adds to Windows 2000 some performance objects and counters that are specifically associated with ISA’s operation. A performance object is a portion of the system that you want to monitor, and a performance counter is a specific item pertaining to that object. Table 7.1 shows the performance objects that you can monitor, along with their associated counters. TA B L E 7 . 1
System Monitor Performance Objects and Their Counters ISA Server Bandwidth Control Actual Inbound Bandwidth Actual Outbound Bandwidth Assigned Connections Assigned Inbound Bandwidth Assigned Outbound Bandwidth ISA Server Cache Active Refresh Bytes Rate (KBps) Active URL Refresh Rate (URL/sec) Disk Bytes Retrieved Rate (KBps)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
370
Chapter 7
■
Performance Tuning and Optimization of ISA Server
TA B L E 7 . 1
System Monitor Performance Objects and Their Counters (Continued) ISA Server Cache Disk Cache Allocated Space (KB) Disk Content Write Rate (Writes/sec) Disk Failure Rate (Fail/sec) Disk URL Retrieve Rate (URL/sec) Max URLs Cached Memory Bytes Retrieved Rate (KBps) Memory Cache Allocated Space (KB) Memory URL Retrieve Rate (URL/sec) Memory Usage Ratio Percent (%) Total Actively Refreshed URLs Total Bytes Actively Refreshed (KB) Total Disk Bytes Retrieved (KB) Total Disk Failures Total Disk URLs Retrieved Total Memory Bytes Retrieved (KBps) Total Memory URLs Retrieved Total URLs Cached URL Commit Rate (URL/sec) URLs in Cache ISA Firewall Service Accepting TCP Connections Active Sessions Active TCP Connections Active UDP Connections Available Worker Threads Back-Connecting TCP Connections Bytes Read/sec Bytes Written/sec Connecting TCP Connections DNS Cache Entries DNS Cache Flushes DNS Cache Hits DNS Cache Hits % DNS Retrievals
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using System Monitor 371
TA B L E 7 . 1
System Monitor Performance Objects and Their Counters (Continued) ISA Firewall Service Failed DNS Resolutions Kernel Mode Data Pumps Listening TCP Connections Non-connected UDP Mappings Pending DNS Resolutions SecureNAT Mappings Successful DNS Resolutions TCP Bytes Transferred/sec by Kernel Mode Data Pump UDP Bytes Transferred/sec by Kernel Mode Data Pump Worker Threads ISA Server Packet Filter Packets Dropped Due to Filter Denial Packets Dropped Due to Protocol Violations Total Dropped Packets Total Incoming Connections Total Logging Packets Lost ISA Server Web Proxy Service Array Bytes Received/sec Array Bytes Sent/sec Array Bytes Total/sec Cache Hit Ratio (%) Cache Running Hit Ratio (%) Client Bytes Received/sec Client Bytes Sent/sec Client Bytes Total/sec Current Array Fetches Average Milliseconds/request Current Average Milliseconds/request Current Cache Fetches Average Milliseconds/request Current Direct Fetches Average Milliseconds/request Current Users DNS Cache Entries DNS Cache Flushes
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
372
Chapter 7
■
Performance Tuning and Optimization of ISA Server
TA B L E 7 . 1
System Monitor Performance Objects and Their Counters (Continued) ISA Server Web Proxy Service DNS Cache Hits DNS Cache Hits (%) DNS Retrievals Failing Requests/sec Ftp Requests Gopher Requests Http Requests HTTPS Sessions Maximum Users Requests/sec Reverse Bytes Received/sec Reverse Bytes Sent/sec Reverse Bytes Total/sec Site Denied Sites Granted SNEWS Sessions SSL Client Bytes Received/sec SSL Client Bytes Sent/sec SSL Client Bytes Total/sec Thread Pool Active Sessions Thread Pool Failures Thread Pool Size Total Array Fetches Total Cache Fetches Total Failing Requests Total Pending Connects Total Requests Total Reverse Fetches Total SSL Sessions Total Successful Requests Total Upstream Fetches Total Users Unknown SSL Sessions Upstream Bytes Received/sec Upstream Bytes Sent/sec Upstream Bytes Total/sec
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using System Monitor 373
TA B L E 7 . 1
System Monitor Performance Objects and Their Counters (Continued) H.323 Filter Active H.323 Calls Total H.323 Calls
Setting up a System Monitor session is pretty straightforward. In Exercise 7.1, you will set up a System Monitor session. EXERCISE 7.1
Setting Up a System Monitor Session 1. In the System Monitor MMC, click the Add button (plus sign) or right-click anywhere in the Details pane and select Add Counters. Note the Explain button in the Add Counters window. By selecting a counter and then clicking Explain, you’re given a terse message telling you what the counter does.
2. From the Performance Object drop-down list, pick the object that you’re interested in monitoring. In our example, we’ll use ISA Server Bandwidth Control.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
374
Chapter 7
■
Performance Tuning and Optimization of ISA Server
EXERCISE 7.1 (continued)
3. Next, select the counters that you want to monitor, either by selecting All Counters or individually picking them from the list.
4. Next, click Add. The counters are added to the Details pane of the current System Monitor session and begin tracking the activity of the items selected. Note that the Add Counters window doesn’t close—you can pick other counters to add to your session in addition to your initial selection.
5. Click Close to return to the System Monitor screen.
By clicking any one of the counters that show up in the bottom of the Details pane, you can change its color and font, prepare a report, change the graph style, or send the capture to a log. Highlighting any one of the counters brings its current Last, Average, Minimum, and Maximum values to the screen. Pressing Ctrl+H highlights the selected counter in the chart, making it easier to distinguish. You can easily toggle among chart, histogram, and report type data by simply clicking the buttons on the Details pane toolbar.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using System Monitor 375
Note that you may need to monitor other portions of your system in order to get a really good feel for what ISA Server is doing. For example, monitoring the cache hits alone may not reveal the whole story of why a server is running more slowly than anticipated. You may have to monitor the disk performance objects in addition to the ISA Server performance objects in order to find out if the disks are able to keep up with the load. The same goes for system memory. Figure 7.2 shows what the counters look like as they’re running—note that the picture shows a snoozing ISA Server in this case. FIGURE 7.2
Final System Monitor output
By utilizing System Monitor effectively, you can determine the performance of the ISA Server computer and then make good judgments about its operation. One considerations is capacity planning—are there enough ISA Servers in the enterprise to effectively meet users’ requirements? Allocation priorities are another concern—are users in outlying areas making the best use of web caching? Is the ISA Server adequately configured to
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
376
Chapter 7
■
Performance Tuning and Optimization of ISA Server
meet all criteria yet not so restrictive as to rule out reasonable requests? Also important is trend analysis—how does your ISA Server behave on a normal day’s operational cycle? You can also use System Monitor to determine if the amount of physical RAM in the computer is adequate for the amount of web caching you’re doing. It’s reasonable to say that a large number of servers in the world today suffer from RAM starvation—they simply don’t have the RAM it takes to do the job required of them. Remember that your ISA Server is the first-line interface for both your Internet and private network clients wishing to get out on the Internet; it is very important that you make sure that the ISA Server is adequately equipped with the RAM it needs to do its daily operations.
You can choose Start ➣ Programs ➣ Microsoft ISA Server ➣ ISA Server Performance Monitor to bring up System Monitor with several of the key performance objects and counters already loaded. By running ISA Server Performance Monitor, you automatically monitor all servers in the array without having to go to extra configuration lengths.
Performance Tuning
We should point out that there’s a bit of performance tuning you can do from within ISA Server. In the ISA Management console, rightclick the array name and choose Properties to bring up the Properties sheet for the array. Next, choose Performance and adjust the Performance Tuning slider to the appropriate number of users expected per day on this server: Fewer Than 100, Fewer Than 1000, or More Than 1000. Click OK. There are also some Registry keys that you can adjust for additional performance-tuning capability. Table 7.2 shows the Registry keys for HKEY_LOCAL_MACHINE\System\Current Control Set\Services\ and what they do. Please be careful when working with the Registry because making a mistake can force you to start all over with a server re-burn and reconfiguration! The values listed are Microsoft recommended values.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Performance Tuning 377
TA B L E 7 . 2
Performance Tuning Registry Keys Dword Value
Registry Key
Function
Location
TZ Persist Interval Threshold (Key needs to be added to the Registry.)
00000001
Indicates the interval, in minutes, that recovery data is inconsistent. If the Web Proxy service is suddenly stopped, the cache needs to be recovered. This setting says that no more than one minute’s worth of cache data will be lost during such an occurrence.
W3PCache\Parameters
Recovery Mru size threshold (Key needs to be added to the Registry.)
00000005
Denotes the time, in minutes, that the ISA Server will first go backward to recover cache data after a Web Proxy service shutdown. This setting is saying that after a Web Proxy service shutdown, the data cached during the last five minutes that the service was operational will be recovered first.
W3PCache\Parameters
MaxClientSession (Key needs to be added to the Registry.)
00002800
This registry key controls the size of the pool for the ClientSession object before the memory the pool is occupying is released. The number 2800 hex represents 10,240 client sessions. Releasing the memory held by the ClientSession object takes time, so we want this Registry object set at a high value.
W3Proxy\Parameters
OutstandAccept
000003e8
Manages the number of listeners that are waiting for a connection. The hex value 3e8 translates to 1000 listeners.
W3Proxy\Parameters
MaxUserPort
0000ffff
Sets the maximum number of TCP/IP ports (65,535) that can be opened by a single client.
Tcpip\Parameters
TcpTimedWaitDelay (Key needs to be added to the Registry.)
0000003c
Sets the time to wait, in seconds, before re-opening a port that had been opened by a previous connection. The hex time 3c represents 5 seconds.
Tcpip\Parameters
StrictTimeWaitSeqCheck (Key needs to be added to the Registry.)
1
Tells the system to wait for TcpTimedWaitDelay to pass before re-opening the socket.
Tcpip\Parameters
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
378
Chapter 7
■
Performance Tuning and Optimization of ISA Server
Some of these registry keys exist in a default installation, while others (marked with “Key needs to be added to the Registry.”) need to be created.
You Can Find Out a Lot about Your System—Especially by Baselining. You’ll have to practice using System Monitor a lot in order to get good with it. Just going into System Monitor and then willy-nilly setting up performance object counters may not produce any viable data. You have to think about which counters you want to observe and if they make any sense with what you’re trying to do. For example, monitoring packet filtering if you have no packet filters enabled or running apart from the seven default packet filters might yield no useful information. And, as stated above, it’s important to set up System Monitor sessions that reveal both the software and hardware pictures of the computer. It’s a good idea to use System Monitor with some well-known performance objects (such as disk, processor, memory, and network interface) to get a baseline of the kind of performance your system is capable of in its new pristine state. Then install ISA Server and grab another baseline, this time including key ISA Server counters. Come back a month after the system goes into production and catch yet another System Monitor session, including the original ISA Server counters. You’ll be able to really drill in and tell where the high points are in your system, and then you’ll be able to make intelligent decisions about whether the system needs to be beefed up in any way or if it’s fine as is. As you add load to the system, be sure to run another session to see how the system’s been affected by the increase in usage.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using and Interpreting Reports 379
Using and Interpreting Reports
O
f all of the features associated with ISA Server, the Reports capability is the one that will give the most mileage to stakeholders who want to see tangible output of what’s going on with the network. ISA Server can periodically create scheduled reports for you and populate them into a named directory. Before we go any further, though, we must understand ISA Server’s logging capabilities, for it is from the logs that the reports are drawn.
Analyze the performance of ISA Server by using reports. Report types include summary, Web usage, application usage, traffic and utilization, and security. Optimize the performance of the ISA Server computer. Considerations include capacity planning, allocation priorities, and trend analysis. Analyze the performance of the ISA Server computer by using reporting and logging.
■
Logging ISA Server comes with three logs by default. You can view them in the same place where you go to view and create reports—the Monitoring Configuration node of the ISA Management console. The three logs created are as follows: ■
IP Packet Filters
■
ISA Server Firewall Service
■
ISA Server Web Proxy Service
Double-click any log to edit its properties, as shown in Figures 7.3 and 7.4. Note that the Properties sheet of each log consists of a Log tab, where you configure the file format, schedule, and name of the log, and a Fields tab, which shows the fields that contain data that is going to be written out to the logs. By default all three logs are enabled.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
380
Chapter 7
■
Performance Tuning and Optimization of ISA Server
FIGURE 7.3
The Log tab of the Packet Filters Properties sheet
FIGURE 7.4
The Fields tab of the Packet Filters Properties sheet
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using and Interpreting Reports 381
Alternatively, you can write the logs to a SQL Server or other ODBCsupported database—a very cool capability. It’s important to note that if you have a busy ISA Server (or ISA Server array), you’re doing a lot of logging onto a database, so you’d better consider the appropriateness of hosting the database directly on the ISA Server. It may be better, in busy environments, to consider hosting the database on a separate computer.
The Fields tab, shown in Figure 7.4, shows a typical packet filter log. Note that the IP header is not included in the log but may provide for very interesting reading, particularly if you think you’re being subjected to periodic attacks. A godsend is the Destination IP field, from which you can begin to backtrack to find the culprit. Note, too, that if someone happened to have been mucking around with the fields, you can simply click the Restore Defaults button to get your original configuration back.
Log File Formats There are two reporting file formats: W3C extended log and ISA Server. It’s important to understand them. Take a look at Figure 7.5. Here you see the list of fields that ISA Server will be logging as it goes about its work. With the W3C file format, only the fields that are checked are reported in the log. However, with the ISA Server format (the default format) you get what are called directives: version, date, and field information. So with the W3C format, you receive both the data and the directives in the log, but only for the fields you’ve checked. With the ISA format, you get the data from all of the fields, even if they’re not checked, but you don’t get the directives. When setting up your reports, it’s important to be cognizant of the type of file format that you’re using so you’re not surprised by the lack of (or, conversely, the plethora of) data you’re given. Each log file has its own distinctive set of fields that it reports on—some with fewer fields and some with more. There are only three logs: IP Packet Filters, ISA Server Web Proxy Service, and ISA Server Firewall Service, and you cannot create others.
Log File Options Click the Options button on the Log tab to open the log file Options window, shown in Figure 7.6. This is a very important dialog box to get acquainted with because several questions show up on the test relative to settings you can make here.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
382
Chapter 7
■
Performance Tuning and Optimization of ISA Server
FIGURE 7.5
ISA log fields
FIGURE 7.6
The ISA log file Options window
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using and Interpreting Reports 383
Note first that you can opt to write the log file to the ISALogs Folder or to Other Folder. There’s a very subtle thing going on here. If you have several ISA Servers in an array, and you opt to write your logs to Other Folder, what you’re really saying is, “I’ve elected to have each array member write its own log files to whatever folder I specify here.” This means that you could put all the log files in a single folder of your choice, or you could put them in separate folders. If you opt for the default of ISALogs, note that all of the log files are written to the original ISA installation folder—which is centrally located and easy to find. Note, too, the ability to compress the log files and to limit their number to a set amount. Both options are enabled by default. On the test, you can expect questions that revolve around the best way to keep down the size of your log file disk—compression and limiting the number of log files is the answer.
You should keep your ISA Server logs on an NTFS partition. They contain highly sensitive information, and NTFS allows you to set very granular permissions to keep prying eyes out.
Finally, take note of the log-file-naming convention, as shown back in Figure 7.5. It’s important to be able to recognize each of the log file’s names and what they are logging. For example the IPPEXTnyyyymmdd.log file is logging IP packet filter information. The n changes relative to the duration of the log that you’re viewing—daily (D), weekly (W), monthly (M), or yearly (Y). There is also an FWSEXTnyyyymmdd.log file that logs the events relative to the Firewall service and a WEBEXTnyyyymmdd.log file that handles the Web Proxy service logging. You will see questions on the test relative to these filenames, and it’s important to be able to correlate what they’re logging respective to a given ISA Server’s activity. You would not, for example, find out information about the blocking of IRC in the Web Proxy log file but rather in the IP Packet Filters log file. The format for the log filename changes based upon the type of log you are creating. Whereas the above format is correct for the daily log, the weekly logs are Wyyyymmw, monthly are Myyyymm, and yearly are Yyyyy. The three logs, IPPEXT, FWSEXT, and WEBEXT, all follow this same format.
When accessing a database in order to write log information to it, you first need to set up an ODBC connection. You must also use a System Data Source Name (DSN), as opposed to a User DSN.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
384
Chapter 7
■
Performance Tuning and Optimization of ISA Server
Reporting Now back to the reporting component—understand that the reports are created from log data. Navigate down the ISA Management console to the Monitoring Configuration node and then to the Report Jobs section shown in Figure 7.7. Notice that we have the opposite situation of the Logs section—there are no default reports created. FIGURE 7.7
The Report Jobs section of the Monitoring Configuration node
Creating a new report is quite easy. Right-click the Report Jobs section and select New ➢ Report Job or, alternatively, with the Report Jobs section highlighted, click the Action menu and select New ➢ Report Job. The Report Job Properties sheet appears, containing four tabs: General, Period, Schedule, and Credentials. We’ll talk about each. General In this tab, shown in Figure 7.8, you give the report a meaningful name and description, and you can enable or disable the report. The report is, by default, enabled. Period Period is different from Schedule. Period means how often the report should generate itself, while Schedule refers to when a report will fire off. In Figure 7.9, you see the Period tab; note that the default period is Daily.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using and Interpreting Reports 385
FIGURE 7.8
The General tab of the Report Job Properties sheet
FIGURE 7.9
The Period tab of the Report Job Properties sheet
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
386
Chapter 7
■
Performance Tuning and Optimization of ISA Server
Schedule The Schedule tab, shown in Figure 7.10, allows you to set up the calendar that the report will use. You have the option of having the report fire off Immediately (the default) or you can schedule it for another time. You can also choose to have the report recur on a routine basis, such as daily, on certain days, or once a month. The default is to generate the report only once. FIGURE 7.10
The Schedule tab of the Report Job Properties sheet
Credentials The Credentials tab, shown in Figure 7.11, allows you to key in specific account information, stipulating the user account that’s allowed to run the report for specific servers. The domain and password are required as well. Note that you cannot enter groups in this section. Next, you navigate through the ISA Management console as follows: Servers And Arrays ➢ Server Or Array Name ➢ Monitoring ➣ Reports. Within this node, you’ll see five sections for different report types: Summary, Web Usage, Application Usage, Traffic And Utilization, and Security. To view any report, you simply highlight a report within a given report type, right-click it, and select Open.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using and Interpreting Reports 387
FIGURE 7.11
The Credentials tab of the Report Job Properties sheet
Reports are generated from log files. Logs are generated at 12:30 A.M. according to the schedule you set for logging (daily, weekly, etc.). No information will be available until at least one log has been generated.
The Summary report type is perhaps the most useful because it contains information such as the Protocols that are in use over ISA Server, the Top Users, the Top Web Sites, Cache Performance, Traffic, and Daily Traffic. A sample of the Summary report is shown in Figure 7.12. You can run a Summary report based upon any of the reports that you previously created. For example, let’s suppose that you had created a report called Daily and one called Weekly. When navigating to a given report type, for example, Summary, both reports will show up in the Summary section of the Reports node, giving you an opportunity to report on summary data for the day or for the week, depending on the report you select. It’s all very easy to understand and easy to configure.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
388
Chapter 7
■
Performance Tuning and Optimization of ISA Server
FIGURE 7.12
An ISA Summary report
If you were to navigate to the Web Usage report type, you’d see Daily and Weekly again, but this time when you run one of the two reports, the data you’d retrieve would be information that pertained to web usage for that particular report. The Web Usage report includes Top Web Users, Top Web Sites, Protocols, HTTP Responses, Object Types, Browsers, Operating Systems, and Browsers vs. Operating Systems—very important and valuable information to have. The HTTP Responses section details the response that ISA Server gave for an HTTP request. Object Types reveals the type of object that ISA Server delivered for a web request. You’ll use the Application Usage report to determine how the applications you’re publishing through ISA Server to the Internet are being utilized. The Application Usage report shows some of the same basic information such as Protocols, but it also reveals information such as Top Application Users, Top Applications, Operating Systems, and Top Destinations. In the Traffic And Utilization report, you’re given information on Protocols, Traffic, Cache Performance, Connections, Processing Time, Daily Traffic, and probably the most important one, Errors.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using and Interpreting Reports 389
Note that any of these reports generated within an array summarize the information for the entire array.
Surely the most important report type is the Security report. Within this report type you’re given two very distinctive elements: Authorization Failures and Dropped Packet. You’ll use this information to glean whether there is an attempt to launch an intrusion attack against you or whether someone is attempting to crack your security and get inside the firewall. All of the reports launch in a browser and use hyperlinks to send you to the appropriate section of the report you’re interested in. Table 7.3 shows the five ISA Server reports and the category of data that you can expect to find within each report. There are questions on the test that will show you sample reports and then ask you troubleshooting or configuration questions about them—so it’s good to know and understand where you’d look for a given component of data within a report. TA B L E 7 . 3
Reports and Their Sections
Report Name
Sections in Report
Comments
Summary
Protocols
Communication protocols used to move traffic through ISA Server Most prolific users of the ISA Server, including web traffic Most popular websites visited Yields the hit ratio, illustrating cache performance Monitors traffic for the report period Monitors traffic for a given day
Top Users Top Web Sites Cache Performance Traffic Daily Traffic Web Usage
Top Web Users Top Web Sites Protocols HTTP Responses
Copyright ©2001 SYBEX, Inc., Alameda, CA
Most prolific users of the Web proxy traffic Most popular websites visited Communication protocols used to move traffic through ISA Server How the ISA Server responded to HTTP requests
www.sybex.com
390
Chapter 7
■
Performance Tuning and Optimization of ISA Server
TA B L E 7 . 3
Reports and Their Sections (Continued)
Report Name
Application Usage
Sections in Report
Comments
Object Types Browsers Operating Systems Browsers vs. Operating Systems
Objects used to satisfy web requests Browsers used Operating systems used Browsers used by OS
Protocols
Communication protocols use to move traffic through ISA Server Users who have generated the most application traffic through ISA Server Applications that have generated the largest amount of network traffic through ISA Server Operating systems used Destinations that caused the most network traffic (by IP address)
Top Application Users Top Applications
Operating Systems Top Destinations Traffic And Utilization
Protocols Traffic Cache Performance Connections Processing Time Daily Traffic Errors
Security
Authorization Failures Dropped Packets
Communication protocols used to move traffic through ISA Server Network traffic through ISA Server Yields the hit ratio, illustrating cache performance Peak number of simultaneous connections Average processing time Network traffic through ISA Server per day Problems encountered communicating with other computers Users who’ve failed to authenticate to ISA Server Users who sent packets that were dropped by ISA Server
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using and Interpreting Reports 391
Keep in mind that two different components must be in place for a report to reflect reality. You must create and enable Report Jobs and you must enable the logs that the report uses. If either of these components is disabled for whatever reason, your report may work but you’ll be getting only partial data. Let’s use Exercise 7.2 to configure and run a daily report. EXERCISE 7.2
Configuring and Running a Report 1. Navigate down through the ISA Management console to Monitoring Configuration ➣ Report Jobs.
2. Right-click Report Jobs and select New ➣ Report Job. 3. Under the General tab of the Properties sheet, key in a meaningful name for the report and a description if needed, and make sure the report is enabled.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
392
Chapter 7
■
Performance Tuning and Optimization of ISA Server
EXERCISE 7.2 (continued)
4. Under the Period tab, make sure Daily is selected.
5. Under the Schedule tab, you must indicate when you want the reports to start generating. Let’s go with the defaults as shown here.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Using and Interpreting Reports 393
EXERCISE 7.2 (continued)
6. Under the Credentials tab, key in any user-specific credentials that may be required to run this report. In this exercise, we’ll leave these fields blank. You must supply valid credentials to complete the job configuration. If you provide a username without sufficient privileges to the machine, the configured job will fail to run and no data will be available.
7. Next, we’ll validate that the logs are all enabled. Move up one section in the ISA Management console to Monitoring Configuration ➣ Logs. In this node, you should see three logs: Packet Filters, ISA Server Firewall Service, and ISA Server Web Proxy Service. Doubleclick the Packet Filters log, and verify that the Enable Logging For This Service check box is checked. Then click OK.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
394
Chapter 7
■
Performance Tuning and Optimization of ISA Server
8. Repeat step 7 within the same node for the ISA Server Firewall Service and the ISA Server Web Proxy Service.
9. Now you’re ready to run a report. Navigate through the ISA Management console to Monitoring ➣ Reports ➣ Summary. Doubleclick the Summary report to bring up a summary report for your ISA Server.
Are You Being Hacked? You’ve recently implemented ISA Server and have set up various destination sets, client address sets, and content groups. You have several hours invested in creating rules that fit your business criteria. The ISA Server is now sitting on the DMZ and is the primary entry point to your network, having replaced an older firewall product that was not nearly as robust or feature-rich as ISA.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring the ISA Server 395
You let the firewall run for a day and then anxiously begin to run some reports the following business day. Surprisingly, the Security report reveals that ISA is dropping a lot of packets of a certain type. You are pretty sure that you don’t have a rule that affects this particular packet, so why are they being dropped? Remember that once packet filtering is enabled, the rules in place are the de facto Allow or Deny rules for all packets coming into and going out of the ISA Server. So, if there isn’t a specific rule allowing the packet to enter or go out, it’s dropped. Are you being hacked? Probably not. Is ISA being efficient? Yes, most definitely.
Monitoring the ISA Server
There are several components to the Monitoring node of the ISA Management console. We’ve talked about Reports already, simply because there’s quite a bit of detail that you need to be aware of relative to reports. But ISA Server monitors other items and reports them within the body of the Monitoring node. We’ll deal with three other nodes in this section: Alerts, Services, and Sessions.
Monitor security and network usage by using logging and alerting. ■
Configure an alert to send an e-mail message to an administrator.
■
Automate alert configuration.
■
Monitor alert status.
Alerts Alerts are created when there is some activity on the ISA Server system of which you need to be aware. ISA Server puts up alerts for all computers in the ISA Server array and allows you to review, monitor, troubleshoot, and
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
396
Chapter 7
■
Performance Tuning and Optimization of ISA Server
analyze the performance of your ISA Servers. The alerts are created automatically and are not configurable, although you can delete them. To view the Alerts section, navigate through the ISA Management console to Monitoring ➢ Alerts. You’ll see a screen similar to the one in Figure 7.13. The view shown is Taskpad view—you can toggle to Advanced view simply by choosing View ➢ Advanced on the menu bar at the top of the screen. To switch back to Taskpad view, choose View ➢ Taskpad. Figure 7.14 shows the Advanced view. FIGURE 7.13
The Alerts pane, shown in Taskpad view
You can reset any alert by simply highlighting it, right-clicking it, and choosing Reset from the resulting menu or by choosing Reset Alert while in Taskpad view (or from the Action ➢ Reset menu). Resetting the alert makes it go away, but it does not necessarily solve the problem.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring the ISA Server 397
FIGURE 7.14
The Alerts pane, shown in Advanced view
If you want to adjust and configure any alerts, navigate through the ISA Management console to Monitoring Configuration ➢ Alerts. Many different pre-configured alerts are displayed in the Details pane, as shown in Figure 7.15. FIGURE 7.15
Pre-configured alerts
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
398
Chapter 7
■
Performance Tuning and Optimization of ISA Server
Double-click any alert to bring up the Properties sheet for that alert (or, alternatively, right-click an alert and select Properties, or choose Action ➢ Properties). There are three tabs that can be utilized: General The General tab allows you to name or rename the alert, provide a meaningful description and, most important, enable or disable it. About 80 percent of the alerts are enabled by default. Those that are not show a red downward-pointing arrow in their icon. Events The Events tab, shown in Figure 7.16, allows you to control the actions that will occur following an event associated with the alert. The event’s name and a brief description are shown. You can choose the number of instances that can occur before an alert is issued and the number of events per second that must occur before an alert is issued. You can also select when recurring actions are performed—whether immediately, after a manual reset of an event, or after a specific time, in minutes, since the last event. FIGURE 7.16
The Events tab of the Alert Properties sheet
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring the ISA Server 399
Actions The most important feature of an alert configuration screen is the Actions tab—what the system should do to notify you. You can choose to e-mail someone of the event and include a Cc: as well, as shown in Figure 7.17. You can also run a program, stop or start certain services, and write the event to the event log. FIGURE 7.17
The Actions tab of the Alert Properties sheet
Note that when configuring e-mail alerts, you can browse out to the Simple Mail Transport Protocol (SMTP) server you want to utilize for the e-mailing process. You’ll have to provide valid credentials when connecting to this server. You can also test your e-mail connectivity prior to implementing the e-mail configuration.
The option to start or stop a service would be helpful in the event that you were encountering an intrusion or a hack that was pointed at a specific service.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
400
Chapter 7
■
Performance Tuning and Optimization of ISA Server
You can also run a wizard by right-clicking the Alerts node under Monitoring Configuration and selecting New from the menu that appears. The wizard looks like any of the other ISA Server wizards and walks you through the creation of a new alert. Chances are, with all of the pre-configured alerts in the system, you won’t need to venture into this arena. Let’s use Exercise 7.3 to run through the process of configuring an alert. EXERCISE 7.3
Configuring an Alert 1. In the ISA Management console, navigate down to the Monitoring Configuration ➣ Alerts section. When you click the Alerts node, all of the alerts that are installed with ISA Server at initial installation appear, as shown below.
2. The Cache Write Error alert might be very useful if you’re using URL caching and something goes wrong. Let’s edit this configuration. Double-click the alert to bring up its Properties sheet. Note under the General tab shown below that you can modify the alert’s description and its name and that you can opt to disable the alert. It is currently enabled.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring the ISA Server 401
EXERCISE 7.3 (continued)
3. Click the Events tab to reveal the event or events that will cause the alert to be sent out. Notice in this case that we want an alert to be sent out every time this specific event (failure to write to the cache) occurs. (When dealing with an array, be sure to select from either Any Server or This Server.)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
402
Chapter 7
■
Performance Tuning and Optimization of ISA Server
EXERCISE 7.3 (continued)
4. Click the Actions tab to reveal what actions can be taken when the event occurs.
5. Click the Send E-mail check box to have ISA Server send you an e-mail message any time the event occurs.
6. Next, key in the name of the server that will be relaying the e-mail to you. In our example, we used ISASERVER1.
7. Next, key in the SMTP address of the person to whom you’re sending this e-mail—in this case, yourself. Note that you can also include a Cc: address, perhaps a co-administrator, operations manager, or someone else. You can use an Exchange distribution list (DL) SMTP alias to send the alert to all members of the DL. Also key in the e-mail address in the From line; however, e-mail alerts will show up without anything in the From header.
Note that you could also opt to run a command or program and/or stop and start services in this window.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring the ISA Server 403
EXERCISE 7.3 (continued)
8. Click Test to see if your e-mail configuration works. If it does, you’ll get an e-mail message stipulating that an ISA test has been run. If it does not work, go back and check your settings.
9. Click Apply or OK to save your changes, or click Cancel to discard them.
Now let’s use Exercise 7.4 to create a brand-new alert. EXERCISE 7.4
Creating a New Alert 1. From within the ISA Management console, navigate down the lefthand pane to Monitoring Configurations ➣ Alerts.
2. Right-click the Alerts section and select New ➣ Alert. The New Alert Wizard appears.
3. Key in the word Test in the Alert Name text box and click Next. (If you’re working on an array, then you must select either Any Server or This Server and then specify the ISA Server you wish to monitor.)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
404
Chapter 7
■
Performance Tuning and Optimization of ISA Server
EXERCISE 7.4 (continued)
4. In the Events And Conditions screen, select an event that is missing from the pre-configured alerts—we’ll use the Component Load Failure event along with an additional condition of Web Filter—and then click Next. Note that some events will activate the Additional Condition drop-down list, allowing you to specify more information pertaining to the alert. In the case of Client/Server Communication Failure shown here, there are no additional conditions to configure, so the Additional Condition drop-down list stays grayed out. Click Next to continue.
5. In the Actions screen, click the Send An E-mail Message check box and then click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring the ISA Server 405
EXERCISE 7.4 (continued)
6. Key in the same information that you used in Exercise 7.3 and click Next. Note that the order of the e-mail address boxes is different than in Exercise 7.3.
7. If you had other things you needed to configure with this alert, you’d be presented with additional configuration screens. But since you’ve finished configuring this alert, you’re presented with the final screen, which details your configuration. Click Finish to create the new alert, or click Cancel to cancel your work.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
406
Chapter 7
■
Performance Tuning and Optimization of ISA Server
Services Navigate to the Services section of the ISA Management console, found immediately below the Alerts section, and you can view the services that are pertinent to all ISA servers in the array, as shown in Figure 7.18. Note that you can stop and start any service. In Taskpad view, you’re given Stop A Service and Start A Service icons. Stopping or starting a service within this node accomplishes the same thing as if you navigated to Start ➣ Programs ➣ Administrative Tools ➣ Services and stopped or started the services through this utility. FIGURE 7.18
The Services pane, shown in Taskpad view
Sessions The final piece of the Monitoring node is Sessions, where you can view all active sessions going out through or coming into the ISA Server, as shown in Figure 7.19. Note that with the click of an icon you can disconnect any session.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Monitoring the ISA Server 407
FIGURE 7.19
The Sessions pane, shown in Taskpad view
Why Would You Ever Disconnect a Session? You’ll typically use the Sessions pane in tandem with one of the reports. Suppose that you have an ISA Server installation running in your production environment. You’re pretty sure that you have all rules configured correctly, but the server’s been in production only a few days and you’re waiting to see if any issues develop. Sure enough, on the second day of operation, you notice from a Traffic And Utilization report that a PC being used by ChloeA is the number-one user on your network and has downloaded thousands of bytes’ worth of streaming media data. Your network is currently too overloaded to allow this type of activity, so you configure a packetfiltering rule that disallows streaming content and you disconnect her current session.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
408
Chapter 7
■
Performance Tuning and Optimization of ISA Server
In another scenario, you could see from a Security report that there were many authorization failures for a PC with an outside IP address. Now, in the Sessions section, you notice that this computer has a current session on your ISA Server! This could mean that you have some secure web content requiring validation that the user failed to authenticate to or it could mean that he’s hacking you. You disconnect the session and set up a rule that disallows that computer from ever coming into the ISA Server.
Intrusion Detection
I
ntrusion detection is easy to configure. Simply navigate the ISA Management console to Access Policy ➢ IP Packet Filters. Right-click Intrusion Detection, and select Properties to bring up the Properties sheet. On the General tab, enable Intrusion Detection.
Monitor security and network usage by using logging and alerting. ■
Configure intrusion detection.
On the Intrusion Detection tab, shown in Figure 7.20, check or uncheck the various options that you desire to utilize on the ISA Server. If you’ve enabled Port Scan intrusion detection, verify the minimum number of well-known ports that are hit before you call it an intrusion, and also verify the number of ports overall that are hit before you make the same call.
Note that two other packet filters, Packet Fragment and IP Options, are found elsewhere within the IP Packet Filters section and are valuable intrusion aids as well. However, you’re not really detecting these kinds of intrusions—you’re simply preventing them from entering the door. You can find these two items on the Packet Filters tab of the IP Packet Filters Properties sheet.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Intrusion Detection 409
FIGURE 7.20
The Intrusion Detection tab of the IP Packet Filters Properties sheet
We’ll use Exercise 7.5 to configure intrusion detection. EXERCISE 7.5
Configuring ISA Server Intrusion Detection 1. From within the ISA Management console, navigate to Access Policy ➣ IP Packet Filters.
2. Right-click the IP Packet Filters node and select Properties to bring up the General tab of the IP Packet Filters Properties sheet.
3. Click the Enable Packet Filtering check box. 4. Click the Enable Intrusion Detection check box. The screen should look like the one shown on the following page.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
410
Chapter 7
■
Performance Tuning and Optimization of ISA Server
EXERCISE 7.5 (continued)
5. Click the Intrusion Detection tab to reveal the current settings. 6. Put a check in all of the intrusion-detection check boxes, leaving the number of attacks at the default settings. Your screen should look like the one shown below.
7. Click OK. You’ve now enabled intrusion detection for the server or array you’re currently working on.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Summary 411
Summary
I
n this chapter, we’ve talked about monitoring the ISA Server. We started out by discussing System Monitor and its importance in giving you the ability to diagnose how the server is behaving with ISA installed on it. Many performance objects and their corresponding counters are added to the computer’s OS when ISA is installed for the first time. You can use System Monitor to view any of these counters and make objective decisions about the system’s performance. You can also perform very robust reporting on the work that the ISA Server is doing. Reports are easy to set up and easy to run, giving you lots of graphical information that can be viewed from any workstation running an ISA MMC with permissions to access the system (including the ISA Server itself). Remember that reports derive their information from preconfigured reporting elements that you create, which are derived from logging that the system automatically creates. Simply adjust the logging properties to your needs, create the report elements you want to use, and then run the reports at any time you like. You can also look at the alerts that the system presents. Alerts are system notifications that may or may not require your immediate attention. For example, whenever a ISA Server service has been stopped or started, an alert is posted in the ISA Management console so that you’re made aware of the activity. You can also configure alerts to be e-mailed to you or other administrators. The Services Details pane shows you all of the services affiliated with all ISA Servers in the array, indicates their current status, and lets you stop or start them as needed. In addition, it’s possible for you to monitor the sessions that are currently active on the ISA Server and disconnect any that you think may be of a spurious nature. Finally, configuring intrusion detection is very simple—right-click IP Packet Filters, bring up the Properties sheet, and navigate to the Intrusion Detection tab, where you can either check or uncheck the intrusiondetection mechanisms you desire to host at your site.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
412
Chapter 7
■
Performance Tuning and Optimization of ISA Server
Key Terms
B
efore you take the exam, be certain you are familiar with the following terms: alert
performance object
directives
Simple Mail Transport Protocol (SMTP)
performance counter Performance Monitor
System Monitor
Exam Essentials Be able to perform a System Monitor analysis on the ISA Server using the supplied ISA Server performance objects and their associated counters. Pay special attention to the ability to track the amount of RAM used by caching so as to spot potential bottlenecks before they occur and remedy them accordingly. Understand the components required to generate reports and be able to generate a report of any of the five standardized types. Understand that logging must be configured and enabled in order to retrieve reports from any of the selected types. Understand what alerts are, how they’re created, and where to find them. Understand how to configure them so they can e-mail warning messages to administrators. Be able to configure intrusion detection. Understand the various intrusion-detection mechanisms (covered in Chapter 1) and be able to configure them accordingly.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 413
Review Questions 1. You wish to configure all of the pre-configured alerts in your ISA
Server stand-alone installation so that you receive e-mail on your personal e-mail account, as well as send an e-mail message to a coadministrator on the system. What are the two alert configuration methods you can use to accomplish this goal? A. Enter your co-administrator’s name in the Cc: line of the alert’s
SMTP configuration dialog. B. Enter the SMTP alias of a distribution list that includes only you
and your co-administrator in the To: line of the alert’s SMTP configuration dialog. C. Enter your co-administrator’s name in the To: line of the alert’s
SMTP configuration dialog. D. Enter the SMTP alias of a distribution list that includes only you
and your co-administrator in the Cc: line of the alert’s SMTP configuration dialog. 2. You’ve gone through the steps of setting up an ISA Server. You’ve
put the server into production, and users can access the Internet without any trouble. One of the managers complains to you that she thinks one of her subordinates is on the Internet almost constantly during the day. You run a quick Summary report for this manager in order to show her the top 10 users but are embarrassed to find that no data appears. What could be wrong? A. No packet filters have been created. B. No site and content rules have been created. C. No report jobs have been created. D. The Local Address Table isn’t populated. E. Site and content rules are not configured to count incoming
URLs. F. The URL cache is misconfigured.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
414
Chapter 7
■
Performance Tuning and Optimization of ISA Server
3. You’re trying to set up intrusion detection—you’ve enabled the IP
Packet Fragment feature of intrusion detection. However, when you pull up the Intrusion Detection configuration screen (shown below), you don’t see IP packet fragments anywhere within the properties on the Intrusion Detection tab. What could be wrong?
A. ISA Server has to be configured to support IP packet fragment
filtering. B. IP packet fragment filtering is configured in the IP Packet Filters
section. C. IP packet fragment filtering is configured in the Site And Content
Rules section. D. You need to set up a routing rule to filter for IP packet
fragments. 4. You’ve set up a stand-alone ISA Server and it seems to be functioning
well. However, some users report longer-than-average wait times when requesting an Internet URL. You run a Performance Monitor session to look at the cache, which is located on the same NTFS drive as the system partition, and get some output (see exhibit). What two things can you do that will increase the throughput of your ISA Server?
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 415
A. Upgrade the hard drive that the cache is on. B. Extend the cache’s space allocation. C. Add RAM to the server. D. Configure dynamic cache downloads. 5. Which of the five ISA Server reports will show you the top web users
for any given report job? A. Summary B. Web Usage C. Application Usage D. Traffic And Utilization E. Security 6. Your company runs a highly successful e-commerce business. You
have internal clients, developers mostly, who need to contact the e-commerce servers on the DMZ (see diagram) in order to make updates. You’re preparing a Web Usage report (see exhibit) that will
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
416
Chapter 7
■
Performance Tuning and Optimization of ISA Server
report on the way that your ISA Server is interoperating with these e-commerce servers. Specifically, you want to know how many of your customers are not being allowed into one of your sites because of an authorization failure. Which component of the Web Usage report will yield these results?
E-commerce server
User computer
User computer
ISA Server
E-commerce server
User computer
E-commerce server
User computer
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 417
A. Top Web Users B. Top Web Sites C. Protocols D. HTTP Responses E. Object Types F. Browsers G. Operating Systems H. Browsers vs. Operating Systems 7. Users are complaining to you of slow response times with your new
ISA Server. You run a Performance Monitor report of your server’s performance and retrieve the output shown (see graphic). Given this output, what are some things that you can do to improve the performance of the server? (Select all that apply).
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
418
Chapter 7
■
Performance Tuning and Optimization of ISA Server
A. Add RAM to the server. B. Increase the size of the disk cache. C. Add another hard drive to the computer and move the disk cache
to the new drive. D. Set up dynamic URL caching. E. Set up another ISA Server to balance the load. 8. You have an array of ISA Servers installed. The array is configured
for cache balancing. Users are complaining of slow speeds when connecting to the Internet and downloading pages. You run a report on one of the servers in the array and find the data shown in the graphic. What must you do to correct the problem?
A. Add CPUs to the server. B. Add RAM to the server. C. Set up dynamic URL caching. D. Adjust this array member’s load factor to 200.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 419
9. You are setting up an ISA Server array that will be managed by a
group of 12 individuals. You want these people to get alerted not only by e-mail, but also by pager. All of the members of the ISA Server administration team carry alphanumeric pagers provided by the same vendor. From the list below, choose the steps you need to go through to facilitate this alerting mechanism. A. Ask the e-mail administrator to create 12 distribution lists
consisting of the 12 admins’ regular e-mail addresses and the SMTP addresses of their pager system. B. Ask the e-mail administrator to create a distribution list that
contains the initial 12 distribution lists. C. Install modem-sharing software on the e-mail server so it can
send pages. D. Set up the ISA Server alerts so that the To: line points to the
e-mail address of the single distribution list. E. Key the phone numbers of the ISA Server administrators into
their respective e-mail account information. F. Ask the e-mail administrator to set up one distribution list that
contains the e-mail addresses of the 12 administrators and their pagers. 10. What report(s) can be utilized to view the protocols being utilized by
clients accessing ISA Server? (Choose all that apply.) A. Summary B. Web Usage C. Application Usage D. Traffic And Utilization E. Security 11. Suppose that you wanted to stop key ISA services on one of the
servers in an ISA array. What would be the easiest method to accomplish this?
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
420
Chapter 7
■
Performance Tuning and Optimization of ISA Server
A. Connect into the server with Terminal Services and stop the
services. B. Use the Monitoring node of ISA Management console. C. Ask an admin buddy near the server to cycle the services. D. Use SMS to connect to the server and cycle the services. 12. Javier has several alerts showing up in the Monitoring node of his
ISA Management console. He wants to get rid of some of them. How can he accomplish this? A. Right-click the Alerts section and select Delete. B. Shift+click to highlight all offending alerts and then hit the
Delete key. C. Shift+click to highlight all offending alerts and then right-click
and select Delete. D. Right-click each offending alert one at a time and select Reset. 13. Suppose that you wanted to figure out what types of operating
systems people were using to access ISA Server. What would be the best report to run? A. Summary B. Web Usage C. Application Usage D. Traffic And Utilization E. Security 14. You’re not receiving any IP header information in your reports.
You’d like to have this information so that you can periodically review it for spurious entries that may point out a possible intrusion. You’re reviewing the settings in the Packet Filters Properties page, as shown in the exhibits. How do you take care of this problem?
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 421
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
422
Chapter 7
■
Performance Tuning and Optimization of ISA Server
A. Set up an IP packet filter. B. Modify the packet filter log’s properties to include the IP Header
field. C. Modify the Security report to include IP headers. D. Modify the default routing rule to include IP headers. 15. Which databases can ISA Server’s logs write to? A. Microsoft SQL Server B. Oracle C. IBM DB2 D. Sybase E. Microsoft Access F. Any ODBC-compliant database 16. You’re setting up a new ISA Server array. You anticipate that you’re
going to get tremendous traffic crossing the array, and you decide to log all reports to a SQL Server database on a different server in the environment. The logging isn’t working—it isn’t writing any records to the database even in Test mode. You review the ODBC settings (see the exhibit) and they appear to be okay. What could be the problem?
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 423
A. You have insufficient permissions to access the database. B. ODBC is set up to use the wrong database. C. You need to use a System DSN. D. SQL Server is unavailable. E. The SQL Server version number is incorrect. 17. You are setting up an ISA Server array that has six members. You
are now configuring the log settings and want to maximize the efficiency with which the logs can be viewed. You want to avoid chewing up disk space with the logs. What steps should you take to achieve this design goal? A. Set up each array member to write to Other Folder. Use W3C
extended format. Choose to limit the number of logs to a set number. B. Set up each array member to write to ISALogs. Use W3C
extended format. Choose to limit the number of logs to a set number. C. Set up each array member to write to Other Folder. Use ISA
Server format. Choose to limit the number of logs to a set number. D. Set up each array member to write to ISALogs. Use ISA Server
format. Choose to limit the number of logs to a set number. E. Set up each array member to write to Other Folder. Use W3C
extended format. Choose to compress and limit the number of logs to a set number. F. Set up each array member to write to ISALogs. Use W3C
extended format. Choose to compress and limit the number of logs to a set number. 18. You’re setting up Intrusion Detection’s Port Scan feature. There are
two port settings—what are they? A. Maximum number of ports allowed scanned by any one host B. Number of attacks on well-known ports C. Number of attacks on any ports D. Port range on which port scanning is prohibited
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
424
Chapter 7
■
Performance Tuning and Optimization of ISA Server
19. You are setting up an ISA Server array of two computers that will
be sharing the URL cache. You want to log the activities of these computers. Specifically, the design criteria you’ve come up with require that each server write to its own logs and that you retrieve data from all available fields, even if the fields aren’t populated. How will you set up the logging of this array? A. Choose to write to ISALogs and use W3C format. B. Choose to write to Other Folder and use W3C format. C. Choose to write to ISALogs and use ISA format. D. Choose to write to Other Folder and use ISA format. 20. You’re the administrator of a large ISA Server array. You’ve been
asked to monitor the daily activities of your telecommuting VPN clients. Which ISA Server log will you utilize? A. IPPEXTDyyyymmdd.log B. IPPEXTMyyyymm.log C. FWSEXTDyyyymmdd.log D. FWSEXTMyyyymm.log E. WEBEXTDyyyymmdd.log F. WEBEXTMyyyymm.log
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 425
Answers to Review Questions 1. A, B. It’s simple to enable the e-mailing of alerts. By creating a
distribution list that includes both you and your co-administrator, then keying the SMTP alias of the distribution list into the To: line of the alert’s SMTP configuration dialog, you can send one alert to both people. Use DLs when you want to send alerts to several people. Use the Cc: method when you want to send the alert to one other person. 2. C. You can’t have ISA Server installed without having created the
LAT. Reports don’t rely on packet filters or site and content rules, but they do rely on report jobs having been created. The reason the report containers are empty is that you’ve not yet created even a single report job—hence the embarrassing no-data episode. 3. B. IP packet fragment filtering isn’t set up in the Intrusion Detection
tab of the IP Packet Filters Properties sheet; it’s actually found under the Packet Filters tab of the same Properties sheet (see below). A site and content rule doesn’t necessarily need to be present to enable IP packet fragment filtering, and neither does a routing rule.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
426
Chapter 7
■
Performance Tuning and Optimization of ISA Server
4. B, D. The cache is being heavily hit and is close to full, as evidenced
by the Disk Cache Allocated Space counter. Extend the cache’s space allocation (perhaps moving it off the System partition to a different disk on the server as well) and configure dynamic cache downloads so that the cache URLs are automatically updated with the latest information. 5. B. The Web Usage report shows you the top web users. The
Summary report displays all ISA traffic for a user, not just the web traffic. The Web Usage report shows only Web proxy traffic. 6. D. The HTTP Responses section of the Web Usage report yields
information on a variety of topics such as Success, Object Moved, Authorization Failure, Object Not Found, and Other. Since you’re interested in reasons why certain users are not able to access the e-commerce servers, you’ll want the HTTP Responses section because it will show you if any of them have failed to authenticate and hence are denied access. 7. A, B, D, E. Users are complaining because the server isn’t reacting
quickly enough to their request for a web page. This server’s cache is full and the disk is slow. RAM is also being over-utilized and the server is RAM-starved. You should add RAM to the server and increase the size of the disk cache. If the cache size can’t be increased because of space limitations, consider adding another disk to the system. Dynamic caching will improve slow user response times, and adding a second ISA Server in an array will help balance the load. 8. D. Before investigating whether to add CPUs, a costly and time-
consuming maneuver, you should first look at the load factor that this particular server is utilizing, relative to the number and health of the other servers in the array. Perhaps whoever set up the array neglected to consider this and consequently set all array members evenly. Clearly, this server has CPU issues, so it needs some offloading. 9. D, F. I know, I know—I hear what you’re saying—you’re not
an e-mail administrator. However, you should understand that the test asks you questions of a highly disparate nature. You need to
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 427
understand a variety of things such as Unix, WAN connections, routers, virtual private network (VPN) connections, TCP/IP subnetting, and so forth. This question is designed to get you to think about how you’d alert many different administrators of an ISA Server array. You can do this quite handily through Exchange, understanding that some alphanumeric pager companies allow you to send e-mail directly to the pager. First, set up a distribution list that includes the admins’ regular e-mail account along with the e-mail address of their pager. That way, you have all the e-mail addresses that need to receive the alert on one list. Next, set up the ISA Server alerts so that the To: line of the SMTP configuration Properties sheet points to the e-mail address of this new distribution list. When an alert fires, it will send the text of the alert to the single e-mail address, and Exchange will then send it to all 24 entries in the DL, thus hitting each admin’s pager and e-mail. The key to this scenario is to make sure the pagers can receive e-mail. 10. A, B, C, D. Summary, Web Usage, Application Usage, and Traffic
And Utilization all show protocol usage, each relative to the scope of the report that they’re covering. For example, the Web Usage report will show protocols specifically in use by web clients, not by application clients and so forth. The Security report does not show protocol usage. 11. B. All of the methods will work, but using Monitoring ➣ Services
will work best because you can access all of the members of each array through a single MMC interface. 12. D. The action of deleting an alert is called a reset. You cannot
highlight a whole group of alerts and reset all of them at once. It’s a one-at-a-time deal. 13. B. The Web Usage reports yields operating system and browser
information. 14. B. You can add the IP Header field to the list of fields that are
logged by the packet filter log, and then report on it as usual. 15. F. The ISA Server logs can write to any ODBC-compliant database.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
428
Chapter 7
■
Performance Tuning and Optimization of ISA Server
16. C. When accessing a database in order to write log information to
it, you first need to set up an ODBC connection. You must also use a System Data Source Name (DSN), as opposed to the User DSN shown in the exhibit. The difference is subtle, yet a complete showstopper. 17. F. By instructing the logs to write to ISALogs, you write to a
directory beneath the initial ISA Server installation directory—thus localizing the logs in one place for easier viewing. Saving the logs to W3C format means that the directives (version, date, and field names) of the logs are saved along with the selected fields. You should opt to compress the logs and restrict them to a certain number. 18. B, C. You can set it up so that you’re alerted when the number of
attacks on well-known ports goes over a certain number (the default is 10) and when the number of attacks on any port or ports goes over a certain number (the default is 20). 19. D. Remember that the difference between W3C and ISA format is
that W3C includes both the data and the directives—by which we mean the version, date, and logged fields. ISA format, on the other hand, doesn’t include the directives, only the field data. However, ISA format includes all fields, even if they’re blank. You can opt to write the logs to a folder beneath the initial ISA installation folder, called ISALogs, or you can write to the folder of your choice, keeping in mind that the folder you choose has to exist or the logs will fail. Hence, our design criteria stipulate that you choose Other Folder and that you write an ISA format file. 20. C. The VPN clients must utilize the Firewall client software. You’ll
monitor the Firewall Service daily logs to view their activity.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Chapter
8
Troubleshooting ISA Server MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: ✓ Troubleshoot problems that occur during setup. ✓ Troubleshoot access problems. ■
Troubleshoot user-based access problems.
■
Troubleshoot packet-based access problems.
✓ Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections. ✓ Install the Firewall Client software. Considerations include the cost and complexity of deployment. ■
Troubleshoot autodetection.
✓ Troubleshoot problems with security and network usage. ■
Detect connections by using Netstat.
■
Test the status of external ports by using Telnet or Network Monitor.
✓ Configure and troubleshoot Virtual Private Network (VPN) access.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
T
he ISA Server test is full of questions on troubleshooting, predominantly questions about client configuration and access (or lack thereof). It’s important to understand when you’d use a specific client, how you’d configure that client, and, ultimately, how that client will interact with the Internet. Plan on questions that show different kinds of computers (such as Windows and Unix computers) and questions about the clients that are needed in order to connect to ISA. Also plan on questions that show clients in one site connecting through an ISA Server in an array to an array member in another site and then out onto the Internet—and why they can’t connect. In this chapter, we’ll talk about these kinds of questions along with other issues listed in the test objectives.
Installation Troubleshooting
W
e begin our journey down the troubleshooting road with problems that revolve around the installation of ISA Server. Probably more important are the problems that might arise in the configuration of specific ISA Server components—web publishing, for example.
Troubleshoot problems that occur during setup.
Let’s start by breaking down some common problems that you might encounter as you set up ISA Server.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Installation Troubleshooting
431
Services cannot start. So you’ve set up ISA Server, thought everything went well, and, lo, the services won’t start. What do you do then? Well, the answer is pretty complicated, but the reason why the services failed to start is fairly straightforward. The services can’t start if the Local Address Table (LAT) isn’t configured correctly and doesn’t include the internal NIC. The problem is that you can’t start the ISA Management console in order to re-configure the LAT. So you’re hosed. You work around this problem by first stopping the ISA Server services and any associated packet filtering (using net stop msfltext if need be). Then you use the ISA Server Software Development Kit (SDK) to set up the LAT using ISA Server Administration Common Object Model (COM) objects. You can reference the SDK for further instructions on how to do this. ISA Server icons don’t get built on the array member. This happened to me when I was setting up a two-node ISA Server array. I launched the Enterprise Edition software and selected Run ISA Server Enterprise Initialization on the first member in the array. The AD schema was extended correctly and everything worked just fine. Then I went to the second Windows 2000 Server and ran DCPROMO, and all of the AD objects replicated just fine. Next I ran the ISA Server Enterprise Edition installation again, but when the program finished, the setup hung for a long time and I finally had to kill it. I didn’t have the ISA Server icons in the second node, but the array member did show up in the first server’s Management console, so I knew it installed okay (or at least thought it installed okay). To fix this problem, I de-installed ISA Server from the computer and reinstalled it, and this time all icons came up and worked correctly. Hardware issues arise at installation time. Another prominent problem, one that may be extremely difficult—or easy—to solve, is that of hardware. Since ISA Server requires two interfaces, whether one of those is a modem and one a NIC or both are NICs, you may run into installation issues because a particular piece of gear isn’t working correctly. The key to troubleshooting an issue like this is to double-check all components ahead of time, prior to the ISA installation, to make sure everything’s working correctly and then go forward with the installation. Modems are a very common problem spot with servers. If you have open COM ports on the server and then install an internal modem, it’s quite possible that you have a device conflict that you’re not even aware of. Check My Computer ➢ Properties ➢ Hardware ➢ Device Manager for any possible conflicts. Clear any hardware conflicts before installing ISA Server.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
432
Chapter 8
■
Troubleshooting ISA Server
You can’t extend the AD schema. ISA Server Enterprise Edition is required in order to extend the Active Directory (AD) schema in preparation for an ISA array. The two installation programs look very much alike, but there is no option to extend the schema (Run ISA Server Enterprise Initialization) in the Standard Edition.
Is Your Server Overworked? Suppose that you’re the administrator of a smaller network of around 250 users, where both administrative and hardware resources are in short supply. You’ve been reading about ISA Server and really feel that it’s a fit for your enterprise. Unfortunately, you don’t have a spare box sitting around that you can put into play as a stand-alone ISA Server. So you decide that, since you want to publish web content from your internal network anyway, you can simply use a server that can double as an intranet server as your web and ISA Server. The problem is that the box is a Pentium III 450 with 256MB of RAM. You’re already running IIS 5.0 with SharePoint Portal Server (SPS), and now you’re proposing to install ISA Server on the computer as well. You have plenty of disk space, about 30GB, available. You’re just not sure what to do. There are so many benefits to be had from setting up ISA Server—should you install it on this computer or not? Consider the minimum installation requirements for ISA Server— 300MHz Pentium II processor or better, 256MB of RAM, and 20MB of free space. These requirements, first of all, are suggested minimums, and second, the implication is that you’ll not be running anything but ISA Server on the computer. You know that IIS 5.0 was installed when you set up Windows 2000 Server, so you can anticipate little overhead with this add-on component. But what about SharePoint Portal Server? Here’s a Microsoft product that requires a Pentium III or better processor, 256MB of RAM, and 550MB of free hard drive space. You have all the bases covered, but only barely.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Problems
433
Clearly, this computer is not a candidate for both SPS and ISA Server from strictly a minimum-requirements standpoint. But there’s another issue: Do you really want to run an internal application on a computer that’s going to interface with the Internet? How comfortable would you be with such a scenario? What if somebody happened to hack into the ISA Server? They would then be able to potentially read and damage intranet content. How safe is that? Furthermore, what about the almost certainty that your 250 users will have a very poor Internet experience because the box is so overloaded? The decision to run ISA Server is an easy one to make. But you must make good, sound design decisions that make sense for your enterprise. This computer must either be an ISA Server or a SharePoint Portal Server, not both.
Access Problems
N
ext, we delve into the issue of access problems—hobgoblins that will account for probably 90–95 percent of your troubleshooting. There are three kinds of access that might cause problems: Outbound access When you have outbound-access problems, you have a user who cannot access Internet sites, whether they’re HTTP, HTTPS, FTP, or other kinds of sites. User-based access In this situation, you have a single user (or group of users) who’s having a specific problem while the rest of the organization is having no difficulty accessing a particular site. Note that this kind of problem can occur with either outbound or inbound traffic. For example, you’re reverse-hosting a web server from your internal network and you get complaints that Internet users are unable to access the site. Packet-based access In this situation, you experience problems where certain incoming packets are being dropped for some reason.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
434
Chapter 8
■
Troubleshooting ISA Server
Troubleshoot access problems. ■
Troubleshoot user-based access problems.
■
Troubleshoot packet-based access problems.
Outbound Access By far, the majority of the questions on the test revolve around scenarios where internal users cannot access the Internet or cannot access specific Internet sites. Let’s think for a moment about the components that might be involved with a user trying to access an Internet site through an ISA Server. There are several complexities involved: ■
■
■
■
Enterprise site rules that override array member rules: If there’s an enterprise site and content rule that allows only certain groups out onto the Internet, it doesn’t matter that there’s an array member site and content rule that pretends to allow groups denied by the enterprise rule—the members of the group are still not going to get out. The enterprise rule wins. Site and content rules that allow only certain groups out to sites: If a user isn’t a member of one of the allowed groups, then they will not get out to desired sites. Protocol rules that deny certain protocols: These may inhibit a user’s ability to hit certain sites. The most widespread occurrence of this will be when you’ve disallowed HTTPS (either accidentally or on purpose), and users complain that they cannot hit secure sites. (You may get fewer complaints than normal in such a scenario because people might be reluctant to confess that they’re trying to order flowers over the Web using the company’s Internet connection. If you don’t want them surfing out to online shopping sites, then that’s a different problem.) Packet filters that drop certain incoming packets: Let’s suppose that your site and content rules look fine, as do the protocol rules and the destination and client address sets. Nevertheless, users are unable to hit HTTPS sites. Could the problem be that you have a
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Problems
435
packet filter enabled that drops all incoming HTTPS requests? In a situation like this, users might be able to hit an entry website, but when they get ready to make a purchase and are transferred to the HTTPS pages, all activity ceases. ■
■
■
Has someone monkeyed with the schedule? For example, if you’re supposedly on the Work Hours schedule, is it possible that another administrator has messed around with the schedule and has effectively blocked users from using the ISA Server? Or could it be that someone has inadvertently selected Weekends instead of Work Hours? Destination sets might not include destinations to which some users require specific access. Client sets may not include certain clients that require access.
There are two separate instances in which you’re likely to experience problems: at initial ISA Server deployment time and after the ISA Server has been running successfully. In the former case, your troubleshooting efforts will require more in-depth hunting because you’ve not yet established that all cylinders are firing. Suppose that you set up a brand-new ISA Server and deploy it to the user community. Almost as soon as you direct users to the new ISA Server, you receive complaints that no one can get out. Well then, where do you start? Having validated that TCP/IP is working correctly and that you’ve configured it correctly (including making sure that the correct DNS entries are added to your ISP’s DNS server), your next step is to go through the various rules that you have in place and make sure that you don’t have something tightened down too harshly. As a rule of thumb, it’s a good idea to start out with rules that allow virtually everybody to do virtually everything and tighten down from there. For example, you may set up a site and content rule that allows all users access to any site and a protocol rule that allows all IP traffic in either direction, and you’ve verified that the rules are enabled. Then you can begin tightening down on the rules, adding content groups, site and content rules, protocol rules, IP packet filters, client address sets, destination sets, and routing rules until you arrive at the place where your network needs to be. We’ll use Exercise 8.1 to illustrate what we’re talking about. In this exercise, let’s assume that you’ve just installed ISA Server and you’re ready to begin configuring it.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
436
Chapter 8
■
Troubleshooting ISA Server
EXERCISE 8.1
Creating a Completely Open ISA Server 1. Navigate down through the ISA Management console to Servers and Arrays ➢ Server_name ➢ Access Policy ➢ IP Packet Filters. Right-click IP Packet Filters and select New ➢ Filter, as shown in the following graphic. The opening screen of the New IP Packet Filter Wizard appears.
2. In the IP Packet Filter Name text box, give the new filter a name that’s meaningful, such as All Open. Click Next.
3. If you’re running ISA in an array, then set the filter for All ISA Server Computers In The Array. Click Next.
4. Create a filter that allows packet transmission, and click Next. 5. In the Use This Filter section, select Custom. Click Next. 6. On the Filter Settings screen, make sure that Any is showing in the IP Protocol drop-down list box and that Both is showing in the Direction drop-down list box.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Problems
437
EXERCISE 8.1 (continued)
7. On the Local Computer screen, apply the packet filter to Default IP Addresses For Each External Interface On The ISA Server Computer. Click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
438
Chapter 8
■
Troubleshooting ISA Server
EXERCISE 8.1 (continued)
8. Apply the packet filter to All Remote Computers. Click Next. 9. Click Finish to finish creating the All Open packet filter. 10. Next, navigate to the Site And Content Rules node of the ISA Management console (in an enterprise array, you’ll want the Enterprise ➢ Policies ➢ Enterprise Policy ➢ Site And Content Rules node; in a stand-alone installation, you’ll want the Server_name ➢ Access Policy ➢ Site And Content Rules node). Right-click the node and select New ➢ Rule to create a new site and content rule.
11. In the Name text box of the opening screen of the New Site And Content Rule Wizard, type in a meaningful name, such as All Content. Click Next.
12. Click the Allow radio button to allow a response to client requests for access. Click Next.
13. Click Custom to specify the clients that you’re going to apply this rule to. Click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Problems
439
EXERCISE 8.1 (continued)
14. Apply the rule to All Destinations. Click Next. 15. Click Always for the schedule that the rule is going to use. Click Next. 16. Click Any Request on the Client Type page for the requests that the rule is going to apply to. Click Next.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
440
Chapter 8
■
Troubleshooting ISA Server
EXERCISE 8.1 (continued)
17. Click Any Content Type on the Client Groups page for the type of content the rule applies to. Click Next.
18. Click Finish to create the All Content rule. 19. Next, navigate to the Protocol Rules node (in an enterprise array, navigate to Policies ➢ Enterprise Policy ➢ Protocol Rules; in a standalone installation, navigate to Server_name ➢ Access Policy ➢ Protocol Rules). Right-click the node and select New ➢ Rule. The New Protocol Rule Wizard appears.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Problems
441
EXERCISE 8.1 (continued)
20. In the Name text box of the opening screen of the New Protocol Rule Wizard, type in a meaningful name, such as Allow All. Click Next.
21. Click Allow to allow client requests to use this protocol. Click Next. 22. Apply this rule to All IP Traffic. Click Next. 23. Select the Always schedule. Click Next. 24. Apply the rule to Any Request. Click Next. 25. Click Finish to set up this vanilla protocol rule. Barring any other rules you may have entered, your ISA Server is now completely open on both sides and ready for you to tweak.
Once the ISA Server is set up and running and you’ve put a lot of effort into getting the rules just right (or at least you thought they were just right), you might run into a new set of client-access problems. Perhaps you have users who are trying to hit certain sites but aren’t allowed to do so. Or perhaps you have users who aren’t able to hit any sites at all. When troubleshooting the problem, you must first ascertain whether the client is a Firewall client (and has the associated files, especially the all-important mspclnt.ini) or is simply a SecureNAT client. Understanding the type of client you’re dealing with will make your troubleshooting easier. Next, determine what kind of problem the user is encountering. Are they able to surf to certain Internet sites but not to others? This ability implies that the client software is working, regardless of the type of client, and that there is a rule firing somewhere that prohibits this user from getting to the site. Perhaps the rule that’s firing is a good one and the user is out of luck, or perhaps there has been a misconfiguration somewhere and this user has fallen through the cracks. If, however, the user is unable to hit any site whatsoever, then determining the type of client that the user is utilizing will be of importance to you. Perhaps the user tried to delete the Microsoft Firewall Client directory while innocently cleaning up their hard drive one day and managed to corrupt the mspclnt.ini file. This would cause all ISA connectivity to cease and result in you having to visit the computer. The solution? Reinstall the client software or, at very least, copy down a fresh mspclnt.ini. In an
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
442
Chapter 8
■
Troubleshooting ISA Server
array, things get stickier because their mspclnt.ini could be pointing to an array member that’s offline or in some other way unreachable. If the user is a SecureNAT client, perhaps they changed the default gateway to something other than the ISA Server, in which case, naturally, things are going to fail. There’s a more interesting point to make relative to this kind of scenario, however, and that is that users probably shouldn’t have access to critical directories such as Microsoft Firewall Client. Perhaps locking down the computers with policies and then deploying the client software with some packaging methodology might be the way to go so as to ensure that artful users don’t wind up stepping on their own foot. SecureNAT clients have some key restrictions that you need to be aware of: ■
■
■
You must set up protocol definitions for every protocol you intend SecureNAT clients to use. Certain applications with complex protocols that require the opening of back channels or that apply directives in the header of the packets will not work with SecureNAT clients. Use the Firewall client instead. Most important, SecureNAT clients do not support user-based authentication. If you have an application that users need to hit and it requires network authentication, then SecureNAT will not work for you.
Interestingly, Firewall clients present some difficulties as well, but in a far more exotic scenario. Suppose that you have a VPN connection set up from one point to another, say, in a business partnership arrangement where you’re connecting your company with another using Windows 2000 VPN technology. If your internal clients are Point to Point Tunneling Protocol (PPTP) clients, then the Firewall client won’t work for you—you’ll need to use the SecureNAT client. Firewall clients support only TCP and UDP protocols. PPTP has to utilize Generic Routing Encapsulation (GRE) on port 47 in order to work and thus won’t work with Firewall clients.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Problems
443
Dynamic Host Configuration Protocol (DHCP) DHCP is a marvelous thing—it is so useful for network administrators. But because DHCP is a broadcast-oriented protocol, it can really play some interesting tricks on you when you’re using SecureNAT clients. Recall that the SecureNAT client is only a client because it has as its default gateway an entry that points to the ISA Server. You can easily set up the default gateway configuration through your DHCP scope(s) and thus pass this information automatically to your clients. This is a fairly straightforward solution when you’re in a single-network environment where users don’t have to pass through routers to get to the default gateway. But what about more-complex networks where you are using routers and you have to direct many different sets of users using various network addresses to the same default gateway? The routers in these situations must know the address of the default gateway in order to point users to it. You have three choices for solving this problem: ■
■
■
Set up a DHCP server in each network. This is not a very practical solution in smaller networks where one DHCP server could easily handle the load. Set up a DHCP server that has a superscope that contains the network addresses of all the networks, and use DHCP relay agents on the separate networks. (See my book MCSE: Windows 2000 Network Infrastructure Design Study Guide, also published by Sybex, for more information on DHCP superscopes.) Set up BootP forwarding and configure helper addresses on the network addresses (your internetworking guys will love this solution). The helper address on the router is a pointer to a DHCP server, and BootP forwarding allows routers to forward BootP requests to that server.
Keep in mind that SecureNAT is used in cases where you have clients that cannot make use of the Firewall client (Unix, Linux, DOS, and other such clients). Be prepared to see exhibits on the text containing groupings of computers that show different operating systems and then ask clientoriented questions regarding the exhibit.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
444
Chapter 8
■
Troubleshooting ISA Server
DNS isn’t nearly as big an issue with clients and ISA Server, although you can get into a fairly esoteric problem situation if you haven’t properly set up DNS on your network. SecureNAT clients will not allow the ISA Server to resolve names for them. Hence, you’ll have to use either a WINS server for internal hostname resolution, an internal DNS server that has references to an Internetbased DNS server as well, or simply an externally based DNS server. With Windows 2000 clients, you’ll have to use DNS. Here’s where the problem comes in. You want your internal DNS server to be able to forward requests for Internet name resolution to an external DNS server (probably the one that’s at your ISP). To do this, your DNS server must be a forwarder. In Windows 2000 Servers, however, a problem arises when you do not let Active Directory configure DNS to be a forwarder. In fact, even if you do allow Active Directory to configure DNS but you do not have a DNS address keyed into the network interface configuration information, you’ll have a problem. When you go into DNS and then right-click the server and select Properties and finally navigate to the Forwarders tab, as shown in Figure 8.1, the Enable Forwarders check box is grayed out, along with the rest of the forwarder configuration information. This happens because when DNS is initially installed and configured (we’re talking about the first Active Directory domain controller in the network here), there is no DNS address to reference. In a case such as this, the installation assumes that it must check a file of root zones for further information. If it is able to contact the root servers referenced in the file (cache.dns), then it will use these servers for forwarding recursive lookups. On the other hand, if it cannot contact any of these root servers (as in the case when your computer is being configured in a lab and isn’t “live” yet), then it will create a root zone on your computer. In such a case, your computer can’t be a forwarder, because the assumption is that it’s already in the capacity of being forwarded to, i.e., responsible for recursive Internet lookups, and so forwarding is turned off. See Figure 8.1. You can easily fix this problem by deleting the root zone, closing DNS, and then re-creating the zone. See TechNet article Q229840 at www.microsoft.com/support for more information.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Problems
FIGURE 8.1
445
A DNS configuration with a problem!
User-Based Access With user-based access, we’re interested in whether outside users can connect to the ISA Server. More pointedly, we want to make sure that users can access servers that are reverse-hosted (from the internal network to the Internet), either web servers or application servers.
E-Mail Server Publishing Allowing internal Exchange Servers to be available (to publish) to the Internet is really straightforward with ISA Server—simply make them SecureNAT clients. In the Microsoft Proxy 2.0 days, you had to install the Web proxy client software on the Exchange Server and then install mspcfg.ini in a couple of specific application directories. Getting the setup to work wasn’t terribly difficult but could present problems. You
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
446
Chapter 8
■
Troubleshooting ISA Server
could opt to do the same thing today—that is, install the Firewall client on the Exchange Server and make sure you’ve correctly installed the mspcfg.ini files in their specific folders. Don’t. There’s no need to. But you run into some difficulties when you consider publishing multiple e-mail servers. First of all, once you consume a port on the external interface of an ISA Server, the port cannot be re-used. So you can’t key in two Mail eXchanger (MX) records on your external DNS server that point to the external interface. Here’s how to get around that minor issue: Bind multiple IP addresses to the external NIC and then use a separate IP address for each of the Exchange Servers you need to configure for outside e-mail. Optionally, simply install more external NICs as needed. You also can get into problems with name resolution on Exchange Servers. When an Exchange Server gets an e-mail destined for a recipient not in its directory, it can use three different configurations to resolve the name: ■
■
■
The Exchange Server can itself be a DNS server and be equipped with a forwarding address with which to resolve external names. The Exchange Server can forward the mail to a DNS server (whether internal or external) that itself is equipped with a forwarding address. The Exchange Server can utilize a smart host—an Internet server capable of forwarding requests to the correct address.
Then there’s the whole issue of Mail eXchanger DNS records that e-mail systems require. When you want to allow Internet e-mail to flow in, you must have an MX record somewhere that is authoritative for your e-mail server. If you know that users will be sending e-mail to your Exchange Server, but your Exchange Server is publishing to ISA Server, then the MX record should point to the ISA Server, not the Exchange box. Numerous problems stem from name-resolution issues. When you’re setting up ISA Server and you’re getting ready to publish websites or applications, it’s a very good idea to make sure that your name-resolution issues are settled and solved prior to full-scale deployment. If your ISP hosts a DNS box containing entries that point to your company, then you need to make sure the DNS entries are correct. If you’re hosting your own external DNS server, then you need to make sure that your DNS entries are correct. Finally, if you utilize forwarding to name-resolution authorities on the Internet, make sure the forwarding address is keyed into the ISA Server’s
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Problems
447
DNS Properties sheet and that it’s a valid address. Nothing is more difficult to solve than a setup that appears to be configured correctly, but you just can’t figure out what’s wrong—only to find, after arduous hours of examining the settings, that for lack of an IP address the system won’t work correctly. And I’m here to tell you, as one with first-hand experience, that ISA Server is an ideal candidate for these kinds of dilemmas.
Web Publishing What a godsend it is to be able to reverse-host web servers without having to go through the hassle of putting your boxes out on the DMZ. You won’t have to mess around with MX DNS records, for one thing. And there are wizards for both kinds of publishing efforts, so you should be able to get things going quite easily. Nevertheless, there are some unusual situations to watch out for. The most interesting situation that you might run into is the problem of having more than one website to publish. Remember that we talked about ISA Server not being good about sharing port 80 with multiple web servers on a single IP address. Nor can you fake it out by putting some websites on port 8090 or some such fictitious port. The workaround is straightforward. Remember that Windows 2000 Server allows for the binding of multiple IP addresses to a single NIC. This feature will be incredibly useful to companies that are attempting to reverse-host multiple web servers. To get around the port-hogging problem, bind multiple IP addresses to the NIC, and then match each of your web servers to one of the addresses. Alternatively, you can install more NICs. Today you can buy dual-port PCI NICs that will come in handy for just such an activity. There are some other concerns as well. If you decide to publish an application on a little-known port, not only do you need to set up a publishing rule that allows for the actual publishing of the app, but you also need to create a protocol rule that accounts for the unusual port you’ve selected. The majority of problems encountered with web publishing will center on an incorrectly configured publishing rule, incorrectly set up destination or client sets, or an improperly configured IIS. You can also get into trouble if you try to publish a web server on a port that’s already in use. (We’ll talk about Netstat and how to use it to determine what’s in use later on, in the section “Security and Network Usage.”) We should also point out that there is a modicum of complexity in firewalling that can (and probably will) frustrate you when you’re setting up
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
448
Chapter 8
■
Troubleshooting ISA Server
your publishing. Remember some salient points when configuring internal users to go outside the network: ■
Client sets determine the client groups that certain firewall rules impact.
■
Protocol rules determine which protocols the client sets can utilize.
■
Site and content rules determine which clients can go where.
■
Destination sets determine the places that clients can go.
■
■
IP packet filters can control which packets are dropped (although this is typically done from external packets going inside). Routing rules control where protocols of a certain kind go.
The following rules control incoming Internet clients: ■
IP packet filters can control which packets are dropped and which are allowed inside.
■
Protocol rules prohibit certain protocols from being allowed inside.
■
Routing rules control where protocols of a certain kind go.
The key to troubleshooting any problem with either internal or external clients who are having trouble connecting to a given resource lies with a rule that’s firing that keeps the clients from their proposed destination (whether intentionally or not). Keep in mind that user authentication also comes into play with problems that can happen to clients. Suppose, for example, that you’ve set up a SQL Server implementation that allows company employees to connect from the Internet and perform work from home through a server that publishes to ISA. These users will have to provide adequate credentials in order to participate in the application, regardless of the correct firing of rules to allow the client inside the door.
Packet-Based Access With packet-based access, you set up the ISA Server to read the packets as they stream in, make a determination about whether to allow them inside or not, and then discard them if they’re to be blocked. You can
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Access Problems
449
set up packet filters that watch for UDP, ICMP, TCP, or any protocol, and you can also set up packet filters that watch for any protocol on a given port. Let’s think about this for a moment. If you have a block-type packet filter that’s set for any protocol (perhaps due to a slip of the mouse as you were configuring the filter), then clients are not going to get inside the door. If you have set the filter up for both inbound and outbound access, then you’ve effectively dropped all packets, and the ISA Server is serving as a really great stopping point for any client activity. For this reason, it’s very important to take into consideration the following factors before creating a packet filter: ■
The type of protocol you want to filter
■
The port you want to filter on
■
The direction that you want to filter
■
The computers that you want to filter
■
The rules that are in place that may be blocking activity you’d like to set in motion
Then, after you’ve reasoned out what the packet filter is going to do, you must make sure that other protocol filters or definitions aren’t going to get in its way. For example, suppose that you plan on allowing any TCP packets for POP3. You do this because users who have Internetbased e-mail accounts want to be able to receive their e-mail on their Outlook client while at work (a fairly common request). But then someone configures a protocol rule that prohibits incoming POP3 on port 110. What wins? The protocol rule will win because it is the most restrictive. Furthermore, if someone accidentally deleted the protocol definition for POP3, your filter still couldn’t allow anyone to access their Internet e-mail. Furthermore, you may have a packet filter set up that blocks certain computers but allows others in. So you can see that it’s critical to examine the entire scope of the rule set—client set, destination set, protocol definition, routing rule, site and content rule, IP packet filter, and even the schedule that’s in place—to make sure that you can trace the activity you want to have happen (or, conversely, not to have happen) through the ISA Server.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
450
Chapter 8
■
Troubleshooting ISA Server
PORT versus PASV Mode with FTP Clients Here’s an interesting scenario that might surface when you’re working with Internet Explorer (IE) clients who want to use their browser as an FTP client. There are two kinds of FTP modes: PORT mode and PASV mode. When you use FTP, the data connection is initiated with the server on port 20 (TCP). When IE is in PORT mode, FTP will use TCP port 21 for data. But when in PASV mode, it will use an arbitrary port, not necessarily port 21. You can see how it would be nearly impossible to set up secure packet filters for such a client. To get around this situation, see to it that you set up your internal IE clients using the following method: Go into IE and navigate to Tools ➢ Internet Options ➢ Advanced. Under the Browsing section of the Advanced tab, notice the option Enable Folder View For FTP Sites (shown below). When this box is unchecked, IE’s FTP capabilities are in PORT mode. When this box is checked, the mode is set to PASV. Simply uncheck the box if it’s checked and then restart IE.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Dial-up and RRAS Dial-on-Demand Connections 451
Dial-up and RRAS Dial-on-Demand Connections
O
ne of the better features of ISA Server and its predecessor MS Proxy Server 2.0 is the ability to dial up and connect to an ISP using Routing and Remote Access Service (RRAS). Troubleshooting connections in RRAS is fairly straightforward.
Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections.
There are a handful of things that go together to make the system work properly. During problem periods, checking the items discussed in the following sections.
Modem Presumably, you’ve already gone through the effort of setting up your modem (or modems) and have verified that they are indeed working. Modems can really give a person fits if there’s another device in the system that would like to use the same COM port that your modem is trying to use. For this reason, I always prefer external modems because they have far fewer configuration hassles when you’re doing your initial setup. The good news is that once a modem is set up and working, usually it’s pretty reliable. Intermittent dial-out problems are likely caused by a modem that is in conflict with another device’s IRQ. Some modems may require that you type a special string of characters into the phonebook entry to get them to initialize correctly. Check with the manufacturer to see if this is the case.
Phonebook Entries There are a variety of things to think about when considering phonebook entries. Most common is the problem of having to dial some number such as 9, for example, to ring out to the outside. Usually you’ll put a 9 plus a comma (9,) in front of your phonebook entry; the comma represent one
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
452
Chapter 8
■
Troubleshooting ISA Server
second’s waiting time before beginning to dial. I’ve worked with phonebook entries that require six and seven commas due to the slowness of the system or other problems. It’s entirely possible that you’ll have to twiddle a bit with the phonebook entry to make sure it’s working correctly. A phonebook entry contains numerous items that will ultimately prevent the entry from working if configured incorrectly. For example, incorrectly setting up security with a given phonebook entry could cause it to stop working. Note that a good way to test a phonebook entry is to bring up its Properties sheet, select the Security tab, and then check the Show Terminal Window check box, as shown in Figure 8.2. This allows you to execute a manual logon at connection time, just to see what’s going on. Show Terminal means that once a dial-up connection is attempted and established, a command window is presented, allowing you to submit logon credentials and other commands that may be necessary on the receiving side. If you always try to execute a connection while in automatic mode, you may miss something that you would catch in manual entry mode. FIGURE 8.2
The Security tab of the phonebook entry Properties sheet
Another concern you may have, though it’s pretty rare these days, is the concept of whether you’re connecting to a Point to Point Protocol (PPP) server or a Single Line Internet Protocol (SLIP) server. SLIP’s the older of
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Dial-up and RRAS Dial-on-Demand Connections 453
the two protocols, so unless you’re connecting to an older system, it’s doubtful that you’d have a problem here. However, it’s quite possible that somebody may have been “experimenting” with the phonebook setup and may have accidentally changed the type of connection to SLIP. Authentication credentials are another issue. If you have a phonebook entry that needs to contact a server that will require logon credentials, then you’ll have to make sure that the credentials you pass in are correct and will work each time the connection is attempted. Check the Show Terminal Window check box on the Security tab to test the phonebook entry before putting it into production.
Missing ISA Server Management Console Dial-up Entry Is it possible that you went into Network And Dial-Up Connections, created the new phonebook entry, and then did not think about creating a new dial-up connection within the ISA Management console? If the phonebook entry is created, but you don’t have a dial-up entry in the ISA Management console to call it into action, then your connection won’t be made. Also, when considering the ISA Management console dial-up entry, check the Enable Bandwidth Control check box on the Bandwidth tab of the Dial-up Entry Properties sheet, shown in Figure 8.3. Note that you first must enable bandwidth control and then set the effective amount of bandwidth, in kilobits/second, that the dial-up connection is using. If someone has been messing around with the settings, it’s possible that the dial-up connection is so limited as to not allow any traffic across, even though you’ve established a connection.
Clients The same kind of client problems that we described above—such as protocol rules getting in the way of something a client is trying to do— apply to dial-up connections. The user isn’t aware that the server’s dialing a phone number or making an X.25 connection—they’re only aware that they’re not able to get through. So it’s important to keep in mind that the same kinds of rules that you’d use with a robust WAN connection to an ISP also apply to a dial-up connection. If the rules are set up too rigidly, or you did not account for a client being in a certain group that is denied rights to a certain protocol, then that client isn’t going to get connected.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
454
Chapter 8
■
Troubleshooting ISA Server
FIGURE 8.3
The Bandwidth tab of the Dial-up Entry Properties sheet
In some ways, troubleshooting RRAS problems is easier than troubleshooting situations with a WAN connection because you’re not concerned about such things as routers and WAN protocols. It’s just your server and the telephones. Nevertheless, there are still many things that can and do go wrong. That being said, it’s fairly elementary to test an RRAS connection and validate that it’s working.
If the Remote Access Auto Connection Manager service isn’t started, then your ISA Server dial-up connection won’t go through.
Autodetection
Autodetection is the ability of either a browser (Web proxy) or Firewall client to find the ISA Server for configuration information. However, with today’s roaming clients, the plot severely thickens when it comes to setting up and troubleshooting enterprise-wide autodetection.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Autodetection
455
Install the Firewall Client software. Considerations include the cost and complexity of deployment. ■
Troubleshoot autodetection.
You may recall from earlier readings that ISA Server uses the Web Proxy Autodiscovery Protocol (WPAD). WPAD can be configured on either DHCP or DNS servers or both. This way, when a roving client computer logs onto the network and receives DHCP or DNS configuration information, it is directed to the ISA Server configured through WPAD for that DHCP or DNS server. Setting up WPAD is easy. Let’s use Exercise 8.2 to show you how to do it.
WPAD within DHCP will work only for Windows 98, Windows Me, and Windows 2000 clients.
EXERCISE 8.2
Configuring WPAD within DHCP 1. From the Windows 2000 DHCP server computer, choose Start ➢ Programs ➢ Administrative Tools ➢ DHCP. The DHCP configuration MMC appears, as shown on the following page.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
456
Chapter 8
■
Troubleshooting ISA Server
EXERCISE 8.2 (continued)
2. In the Console pane, right-click the DHCP server and select Set Predefined Options from the shortcut menu. The Predefined Options And Values window appears, as shown below.
3. Click the Add button to open the Option Type window, shown below.
4. In the Name input box, type in WPAD. 5. In the Data Type drop-down list box, select String. 6. In the Code input box, enter 252. 7. In the Description input box, type in ISA Server DHCP Autodetection.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Autodetection
457
EXERCISE 8.2 (continued)
8. Verify all entries, and then click OK to return to the Predefined Options And Values window.
9. In the Option Name drop-down list box, select your new 252 WPAD entry.
10. In the String input box, type in the following string: http://ISA_Server_name:port_number/Wpad.dat. Note that the example below shows my server, 2000guy, with the default port 8080 entry. You would use the server’s fully qualified domain name.
11. Click OK to return to the DHCP window. 12. Close the DHCP window. Windows 98, Me, and 2000 clients can now use DHCP to discover your ISA Server. Note that you’ll have to configure all DHCP servers that you intend to have participate in the autodiscovery mechanism.
Configuring DNS clients for autodiscovery is even easier than configuring DHCP. We’ll use Exercise 8.3 to set up your DNS box for this feature.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
458
Chapter 8
■
Troubleshooting ISA Server
EXERCISE 8.3
Configuring WPAD within DNS 1. From the Windows 2000 DNS server computer, choose Start ➢ Programs ➢ Administrative Tools ➢ DNS. The DNS configuration MMC appears, as shown on the following page.
2. Drill down to the forward lookup zone for the server you’re interested in configuring. Right-click the appropriate forward lookup zone, and then select New ➢ Alias from the shortcut menu. The New Resource Record window appears.
3. In the Alias Name text box, type in WPAD. 4. In the Fully Qualified Name For Target Host text box, type in the FQDN of your ISA Server. In the graphic shown below, I used the 2000guy server’s FQDN.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Autodetection
459
EXERCISE 8.3 (continued)
5. Click OK to return to the DNS window. 6. Now close the DNS window. Windows 98, Me, NT, and 2000 clients can now use DNS to discover your ISA Server.
Neither of these exercises will be worth a hoot until you enable automatic discovery on your ISA Server arrays. Let’s use Exercise 8.4 to run through the mechanism of enabling automatic discovery. EXERCISE 8.4
Enabling Automatic Discovery on an ISA Server Array 1. From the ISA Management console, right-click the array and select Properties from the shortcut menu. The Array_name Properties sheet appears, as shown below.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
460
Chapter 8
■
Troubleshooting ISA Server
EXERCISE 8.4 (continued)
2. Click the Auto Discovery tab. Then check the Publish Automatic Discovery Information check box, and select a port if the one you want is different from the default of 80. The screen below shows the final configuration.
3. Click OK. You’re prompted with a warning that you must stop and restart the Web Proxy service for the changes to take affect.
4. Click OK. The ISA Server is now ready to publish automatic discovery information.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Autodetection
461
Finally, navigate down through the ISA Management console to the Client Configuration node. Right-click each client type and enable automatic discovery. In the web browser client, be sure to also check the Automatically Discover Settings check box and, if desired, also check the Set Web Browsers To Use Automatic Configuration Script check box, as shown in Figure 8.4. Figure 8.5 shows the Firewall client automatic discovery configuration. FIGURE 8.4
The web browser client automatic discovery configuration
Note that you’ll have to configure all DNS forward lookup zones that you intend to have participate in the autodiscovery mechanism. By setting up your DHCP and DNS servers with WPAD, you’re enabling roving users to find an ISA Server anywhere they might happen to log on to the network.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
462
Chapter 8
■
Troubleshooting ISA Server
FIGURE 8.5
The Firewall client automatic discovery configuration
Web proxy clients must have IE 5 or higher to make use of autodiscovery.
By going through these two exercises, you may gain a feel for some of the problems you might run into with autodiscovery. For example, if you’ve not configured all DHCP servers with a WPAD entry, it’s possible that some clients may not discover their ISA Server. Be careful to configure all DHCP and DNS servers with a WPAD entry for the ISA Servers that you want to be involved in the autodiscovery mechanism. Clients must be on IE 5 or higher to participate. Upgrade IE 4 or earlier or Netscape clients to IE 5 or higher to enable autodiscovery. If the web browser and Firewall client configurations have not been enabled for automatic configuration, then even though your WPAD entries are correct and you’ve enabled automatic configuration in the array properties, you still won’t have automatic configuration of clients.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Security and Network Usage 463
Better Than Internet Explorer Administration Kit? It used to be that when you worked with IE and wanted to point it to a default proxy server, you had to build a custom IE deployment using the IEAK. The IEAK isn’t so bad to learn how to use—it’s wizard-driven and fairly intuitive. But the tool could become burdensome if you wanted to point browsers to several different kinds of proxy servers. The problem with IEAK surfaced when you had to point your browsers to new or additional equipment. All of a sudden, you had to rerun the IEAK and prepare a whole new browser deployment—an operation that, at the least, was certainly time-consuming and possibly very problematic as well. With the automatic publishing of configuration information, coupled with the autodiscovery of ISA Servers and the enabling of your clients to automatically obtain client configuration information, you’ve saved hours of reconfiguration efforts.
Security and Network Usage
T
here are a few tools that you can use to check on the security of your ISA Server deployment, as well as network usage. We’ll start with a discussion of a tool called Netstat and then work our way into the use of Telnet and Network Monitor.
Troubleshoot problems with security and network usage. ■
Detect connections by using Netstat.
■
Test the status of external ports by using Telnet or Network Monitor.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
464
Chapter 8
■
Troubleshooting ISA Server
Using Netstat The Netstat utility is bundled with the Windows Me, NT, and 2000 operating systems. There are several uses for Netstat, as shown in the following commands: Displays all connections and listening ports. Server connections are not shown.
netstat –a
Shows the Ethernet statistics. You can use this switch in conjunction with –s.
netstat –e
netstat –n Same as netstat –a, but shows the numerical port form instead of the name lookup.
Shows the protocol statistics for TCP, UDP, ICMP, and IP. If you want to narrow down to a single protocol, use the –p switch. netstat –s –
netstat –p protocol – Use either UDP or TCP for protocol. If you use the –s switch in conjunction with –p, you can also check ICMP and
IP statistics. netstat –r –
Reveals the current routing table.
netstat interval – Use some interval in seconds to redisplay the current netstat output at regular intervals. Use Ctrl+B to stop the output. If you don’t use interval, the output is displayed only once.
You run netstat from a command prompt. In general, you’ll use netstat –a in conjunction with the ports currently being utilized in the Enterprise ➢ Policy Elements ➢ Protocol Definitions section of the ISA Management console. When you run netstat –a, you’re looking for problems on a specific port or ports. You’ll need to reference the port numbers you’re interested in tracking through the console tree node listed above. A healthy port will be shown as Listening. Other port problems might show up as a Conflict. We’ll use Exercise 8.5 to run a routine netstat –a and a netstat –n session.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Security and Network Usage 465
EXERCISE 8.5
Using Netstat 1. From the ISA Management console, navigate to Enterprise ➢ Policy Elements ➢ Protocol Definitions. In the Details pane of the resulting Available Protocols window, pick out a protocol and its associated port number that you want to check for.
2. From the Windows 2000 Server console, choose Start ➢ Run, and then in the Run text box, enter cmd. The Windows 2000 command prompt comes up.
3. At the command prompt, type the command netstat –a | more to reveal the ports currently in use on your ISA Server computer. The output will be similar to that shown below.
4. See if you can locate the protocol port that you were looking for from ISA Server and note its state.
5. Press Ctrl+C to stop the output. Now enter netstat –n to see the output in numeric order instead of name lookup order, similar to the output shown in the following page.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
466
Chapter 8
■
Troubleshooting ISA Server
EXERCISE 8.5 (continued)
6. Type exit to close the command prompt.
Using Telnet Another useful utility is Telnet. Part of the TCP/IP suite, Telnet is designed to allow you to remotely connect to another computer and interact with that computer through a terminal window. This is all command-oriented stuff—no cool GUIs here, but Telnet is an amazingly wonderful little utility. The command syntax is as follows: telnet host_name port_number The port_number entry is optional, and you wouldn’t typically use it for standard Telnet connectivity. But we’re going to use it to test out the various ports on the ISA Server to see if they’re responding. We’ll use Exercise 8.6 to test out the telnet command on the SMTP port—port 25.
By the way, using Telnet to access port 25 on a mail server, accompanied by the knowledge of a handful of SMTP commands, makes you a very dangerous hacker-type indeed. You can do a thing called relaying on port 25 of e-mail servers. This capability is so powerful that Exchange Servers today automatically prohibit relaying on that particular port.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Security and Network Usage 467
EXERCISE 8.6
Using Telnet to Check ISA Server Ports 1. From the ISA Management console, choose Start ➢ Run. Then in the Run text box, type in cmd to bring up the Windows 2000 command prompt.
2. Type the command Telnet ISA_Server_Name 25, where ISA_Server_Name is the name of your ISA Server. You should see a response like the one shown below.
3. Repeat this process for any port you’re curious in checking, substituting for the 25 the port you wish to check next. 4. Type quit to leave the Telnet session. 5. Type exit to leave the command-prompt session.
Using Network Monitor You use Network Monitor to capture and display frames that the Windows 2000 Server computer receives from the network. You can run Network Monitor to capture frames from any of the NICs installed in your computer. Since your ISA Server might be running two NICs (one for the internal network and one for the Internet connection), when you first
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
468
Chapter 8
■
Troubleshooting ISA Server
run Network Monitor you are asked which NIC you want to connect to. The problem with this scenario is that Network Monitor asks you to which NIC you want to connect based upon the NIC’s MAC address, which you probably don’t have stuck inside your billfold. If you’re not very familiar with TCP/IP, you might have a hard time discovering this information—it’s not in the properties for the Local Area Connection, nor can it be found in Device Manager. Exercise 8.7 shows a quick way to ascertain a NIC’s MAC address from the server. EXERCISE 8.7
Determining a NIC’s MAC Address 1. From the ISA Management console, choose Start ➢ Run. Then in the Run text box, type in cmd to bring up the Windows 2000 command prompt.
2. Ping the ISA Server with the command ping ISA_Server_Name, where ISA_Server_Name is the name of your ISA Server. 3. Next, type in the command arp –a to reveal the MAC address of the NIC you just pinged, as shown below.
4. After jotting down the MAC address, type exit to close the command prompt. Optionally, you could open a command prompt and type ipconfig /all to obtain the MAC addresses from all network cards in the machine.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Security and Network Usage 469
If you use Microsoft Systems Management Server, the Data Discovery Record (DDR) for your ISA Server will reveal both its IP address and MAC address, along with a few other pertinent items.
Now that you know the MAC address of the NIC you want to connect Network Monitor to, you’re ready to launch your session. Choose Start ➢ Programs ➢ Administrative Tools ➢ Network Monitor to launch the Network Monitor program. If prompted, pick the MAC address to connect to. Once you’re in the Network Monitor program, click the Start Capture button to start a capture of all incoming packets. Note that Network Monitor is an elaborate Windows 2000 tool that requires quite a bit of general knowledge regarding protocols and packets in order for you to understand what you’re reading. There are many documents on the Web that can assist you with understanding such a complex tool as Network Monitor. The Windows 2000 Network Monitor is a baby brother to SMS’ Network Monitor tool. We’ll use Exercise 8.8 to run Network Monitor and look at a basic capture of incoming packets. EXERCISE 8.8
Running Network Monitor 1. From the ISA Management console, choose Start ➢ Programs ➢ Administrative Tools ➢ Network Monitor.
2. If prompted for the MAC address you’d like to connect to, select the appropriate one and then click OK. The Network Monitor window appears.
3. Click the Start Capture button or press F10. The Network Monitor capture starts for the NIC you’re connected to. Launch a browser session so that you can generate some traffic and give your Network Monitor session something to capture.
4. After 30 seconds or so, click the Stop Capture button or press F11. You’ll see a screen somewhat similar to the one shown in the following page, displaying the session statistics.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
470
Chapter 8
■
Troubleshooting ISA Server
EXERCISE 8.8 (continued)
5. Press F12 to display the output of the capture. The screen content is similar to the one shown below.
6. Double-click any of the entries shown to reveal the details for that row. The window will be split into three panes: upper, middle, and lower. Highlight the data in the middle pane, similarly to the one shown on the following page.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Security and Network Usage 471
EXERCISE 8.8 (continued)
7. In the graphic above, the source port is 1745, and the destination port is unknown but presumed to be 4202.
8. Note the hex pane in the bottom section of the window. As you scroll through the items in the middle pane, the location for that code is displayed in the hex pane.
9. Close the Network Monitor session. There is no need to save the capture session.
If become astute at reading the information within the various incoming packets, you may be able to glean information about problems you might be having with your ISA Server. Alternatively, you can capture the output to a file and send it to a network-monitoring expert who could read the file and give you recommendations on the various packets’ contents.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
472
Chapter 8
■
Troubleshooting ISA Server
How Likely Are You to Glean Information from Network Monitor? Network Monitor is something that most administrators have not played around with much. The tool is very powerful, but it requires a modicum of understanding of packets, their layout, and the way that they go into and out of systems. For most admins, Network Monitor ranks in the heavier end of the spectrum of network administration, along with rocket science and fundamental particle physics, and as such it probably won’t be a really great source in your quest to solve problems with your ISA Server. In addition, the Network Monitor session you run is only as good as the incoming data—so if you’re testing your server at 2:00 A.M., when it’s unlikely anyone is going to hit it, then you’re not as likely to pull up really great data that can help you solve problems. You need to run the session in real time as problems occur or somehow duplicate the problems with users who are willing to help you test. That being said, I do think that if you practice with Network Monitor and get good at it, perhaps even interfacing with some router folks who can help you understand some of Network Monitor’s output, you’ll be able to improve your ISA Server troubleshooting efforts. But hey, how come we’re expecting so much trouble with ISA Server in the first place? If you’ve configured it correctly and the rules are set up and firing as you’ve laid them out—you shouldn’t have any problems at all now, should you?
Troubleshooting VPN Connections
O
f all the unique features of ISA Server, VPN access provides some of the most bang for the buck, allowing your telecommuters to utilize high-speed Internet access, gaining entry into your private network, or allowing your remote networks to connect to your local network through secure Internet VPN access. In either case, you can set up VPNs to leverage secure private network connectivity through inexpensive Internet resources.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Troubleshooting VPN Connections 473
Configure and troubleshoot Virtual Private Network (VPN) access.
ISA VPN makes use of Windows 2000’s Routing and Remote Access Service (RRAS) and the associated configuration information that you create. For a more thorough coverage of RRAS, see the MCSE: Windows 2000 Network Infrastructure Administration Study Guide (Sybex, 2001). When troubleshooting VPN connectivity, there are two different scenarios we must consider: local-to-remote VPN connectivity and client-to-local VPN connectivity. We’ll consider each of these from a troubleshooting standpoint.
Local-to-Remote VPN Connectivity The concept behind local-to-remote VPN connectivity is that you use the Local ISA VPN Wizard to set up your local VPN connection. The wizard will check to make sure RRAS is running, and if so, that it’s correctly configured. Then, once you’ve created the VPN, a VPC file along with two IP packet filters for either PPTP or L2TP (depending on your choice of VPN tunneling protocols) will be created as well. After this work is completed, an administrator in the remote site can run the Remote ISA VPN Wizard from their ISA Server. When the wizard is run, the information from the VPC file is utilized to create a secure tunnel between the two servers. Setting up local-to-remote VPN connectivity can run into problems in some of the following ways: RRAS remote policy not yet created You’ll be alerted of this situation right away while attempting to configure the local ISA VPN. This is an RRAS problem, not an ISA Server issue. To create a new remote policy, go to Start ➢ Programs ➢ Administrative Tools ➢ Routing And Remote Access from the Windows 2000 screen, navigate to Remote Access Policies and right-click it, and then select New Remote Access Policy from the shortcut menu. Remote ISA Server configured in cache mode The ISA Server in the remote site must be configured in integrated mode and will not allow remote VPN installation if in cache mode. No existing secondary DNS server The remote server must be able to contact a secondary DNS server at its location. Before setting up the Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
474
Chapter 8
■
Troubleshooting ISA Server
VPNs, make sure you’re hosting the primary DNS server and that the remote site has a server acting as a secondary server. Local subnet not in remote server’s LAT It’s important to key the local ISA Server’s subnets into the remote server’s LAT. Do not include external (Internet) addresses. Corrupt, deleted, or unavailable VPC file Because the remote site relies on the local site’s VPC file, its unavailability causes the setup to cease. Inability to create user account in the remote site The setup of localto-remote automatically creates an access account in the remote site. If some sort of connection restrictions are in place, then it’s possible that the account won’t get created.
The ISA Server test is replete with enterprise diagrams that show various interstate or inter-country sites somehow connected together. Keep in mind that the routing rules created in a remote site provide the filtering you need to route certain types of requests to specific servers. The ISA Server help screen has a wonderful enterprise scenario that very closely mimics the kinds of questions you’ll see on the test. Open ISA Server help, key in VPN, and select the Deployment Scenarios option.
Client-to-Local VPN Connectivity Client-to-local VPN connectivity presents another set of possibilities where things can go wrong. Following are some items to consider when troubleshooting client-to-local VPN connections: Windows 9x, Me, and NT clients cannot use L2TP. If you set up the local VPN to initially host Layer Two Tunneling Protocol (L2TP), only Windows 2000 Professional hosts can utilize this new technology. Either consider downscaling the tunneling protocol to Point to Point Tunneling Protocol (PPTP) or add PPTP IP packet filters to the local ISA Server to provide multi-Windows-platform connectivity. Client dial-up connection is incorrectly configured. If a client’s dial-up settings are incorrectly configured, then the user won’t be able to access the server. Remote access policy must be established. Just as with the Local to Remote VPN Wizard setup, you must have a remote access policy created with RRAS.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Troubleshooting VPN Connections 475
DNS entries (or lack thereof) create access issues. Name-resolution issues cause three-quarters of the difficulties you encounter on setups such as this. If your VPN server isn’t reachable by name, even if both the server and the client are set up correctly, then the client will not be able to contact the server. Probably the best thing you can do when troubleshooting complex integrated systems such as local-to-remote VPN scenarios that rely on various pieces of Windows 2000 is to take things back to the basics. Start by setting up a single site and content rule that allows all users to access all sites at all times. Then create a protocol rule that allows FTP, HTTP, and HTTPS. It’s possible that overly complex rules are firing in a way that prohibits you from accomplishing your goal. Get the rules back to basics, and then restructure as needed.
Open the ISA Management help screen and enter Troubleshooting in the index section of help to display a fairly rudimentary troubleshooting reference you might get assistance from if you’re having problems with a component of your ISA Server.
Note that an optimal way to configure RRAS for VPN access is a twostep process. We’ll use Exercise 8.9 to get you started. EXERCISE 8.9
Setting Up Your RRAS Configuration for VPN Users 1. In Active Directory Users And Computers, create a group called something like VPN Users. You’ll put into this group those individuals who are going to make use of VPN.
2. Next, create a remote access policy with two conditions: ■
Set the Network Access Server (NAS) port type to Virtual (VPN).
■
Add Windows Group as the attribute that the Remote Access Policy will use, and select the VPN Users group from the Group list presented when configuring the attribute.
You have now configured RRAS for VPN clients.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
476
Chapter 8
■
Troubleshooting ISA Server
Complexity of Rules Did you ever play that game where you stand around in a circle with a bunch of friends and whisper a story into the ear of the person next to you? She in turn tells it to the next person, and so forth. By the time the story gets back to you, it’s completely unintelligible. In a weird sort of way, that’s how firewall rules work. It’s important to understand the rules that you have firing and the order in which they fire. If need be, make a flowchart for each set of activities that you want to allow or deny, and compare them to the rules that you have in place on the firewall. You may find that some rules are getting in the way of certain activities you want to enable. Use the Keep It Simple Stupid (KISS) principle when working with firewall rules, and you’ll find that the system will be much less errorprone and easier for all to understand.
Summary
In this chapter, we talked about troubleshooting your ISA Server installation. We began with common installation problems such as services not starting, the icons not being built on an array member server, hardware issues, and the inability to extend the AD schema. It’s important to make sure that servers operating in production environments are on the Windows 2000 Hardware Compatibility List (HCL) to ensure, if for no other reason, that Microsoft support engineers will work with you when you encounter difficulties. Next, we discussed the three kinds of access problems you might expect to encounter: outbound, where your users are having difficulty accessing websites (and which represent the majority of the problems you’ll encounter with ISA); user-based, meaning Internet users are having problems trying to access published web or server installations; and packet-based, where an IP packet filter is misfiring.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Key Terms
477
Then we talked about problems you might encounter with dial-out connections using RRAS. Most issues you might run into here typically revolve around hardware incompatibilities or failures and misconfigured phonebook entries. We also discussed autodetection of the ISA Servers and the issues that center on this topic. Especially interesting is the notion of properly publishing the WPAD entries in all DHCP and DNS servers so that users reference the correct ISA array members for their configurations. Then we talked about the tools you can use to monitor network security and usage. Three key out-of-box tools can be utilized in the Windows 2000 environment—Telnet, Netstat, and Network Monitor. You can also purchase third-party tools that allow for more granularity in terms of the security and usage data on the network. Finally, we talked about VPN connections and the things that might go wrong when configuring them. We mentioned local-to-remote VPNs as well as client-to-local VPNs, noting the differences in the two configurations. Depending on which kind of configuration you’re dealing with, you might encounter different problems. For example, with a local-to-remote VPN connection, the remote site’s inability to access the VPC file might create problems. With VPN clients accessing the local network, the capability of functioning as an L2TP client may create issues for you.
Key Terms
Before you take the exam, be certain you are familiar with the following terms: autodiscovery
PASV mode
BootP
PORT mode
forwarder
superscope
helper address
Web Proxy Autodiscovery Protocol (WPAD)
MX record Network Access Server (NAS)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
478
Chapter 8
■
Troubleshooting ISA Server
Exam Essentials Know and understand the various things that could go wrong during an ISA Server installation. Remember the various modes that ISA can be installed in, especially in arrays. Remember that you need the Enterprise Edition of ISA Server for array work. Be familiar with the various types of access and the things that can go awry. Understand that there are outbound, user-based, and packet-based access and that each of these components can have its own problem spots. For example, with user-based access you might run into problems with reverse-hosting of web or e-mail servers, whereas with outbound access you’ll most likely have problems with clients trying to access websites. Know and understand the potential difficulties associated with setting up and using RRAS for dial-out access. One of ISA Server’s strong suits is its ability to dial ISPs for Internet connections. Understand the ramifications of working with RRAS and how to troubleshoot accordingly. Don’t forget that routing rules within ISA arrays might well play into the picture, though it’s sort of inconceivable that you’d have two campuses connecting to an ISP by phone. It’s important to remember that dial-in VPN clients also use RRAS. Autodetection is a huge feature of ISA Server. Be sure you understand why you’d use autodiscovery and the things that could go wrong. In the case of autodetection, name services might be a difficulty that could enter into the picture. Remember the WPAD scenario, especially the client types that can use WPAD over DHCP or WPAD over DNS. Know and understand the tools that are involved when researching network security and related problems. In addition to any third-party offerings you might already have in-house or are currently investigating, remember that you have Telnet, Netstat, and Network Monitor at your disposal. Pay special attention to Netstat, as it’s the most viable tool of choice when investigating TCP/IP ports. Be familiar with VPN technology, especially as it pertains to RRAS and its associated tie-in with ISA Server. Understand how clients connect to the ISA Server for VPN connectivity (by simply pointing to the ISA Server over the Internet). Also be familiar with problems that could arise through the setup of local/remote VPNs.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 479
Review Questions 1. You have recently configured two ISA Servers in an array, one in
your headquarters office and one at your branch office (see exhibit). You’ve configured an enterprise protocol rule that allows HTTP, HTTPS, and FTP. However, you’re receiving complaints that no one can access the Internet. What could be the problem? Select the two answers that represent the entire solution to the problem. Headquarters office
Branch office
Internet ISA Server
ISA Server
A. You’ve not yet created an enterprise site and content rule. B. You must create a destination set that includes the entire two
networks. C. You must add the branch office’s subnet to the LAT. D. Users must adjust their default gateway to point to the ISA
Server (become SecureNAT clients). 2. You’re trying to configure your ISA Server for client VPN connec-
tions. You’ve created a group specifically for VPN clients. You’ve also created a remote access policy (see exhibit) where the tunneling type equals PPTP or L2TP. However, your VPN clients cannot connect to the ISA VPN Server. What could be the problem? (Select all that apply.)
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
480
Chapter 8
■
Troubleshooting ISA Server
A. You have not added a condition for IPSec to the remote access
policy. B. The remote access policy should be set to NAS Type Matches
Virtual VPN. C. You’ve not yet enabled the members of the group for RRAS
access. D. You’ve not yet added the group to the remote access policy. E. There is no entry in WINS for the ISA Server. 3. You have a single ISA Server site with about 300 client computers, a
mixture of Windows 9x, Me, NT, and 2000 Professional computers. You set up auto-configuration by creating a WPAD entry in DHCP. Most of your clients were correctly configured to point to the ISA Server, but for some reason, some were not. What could be the problem? A. The ISA Server’s name is not in WINS. B. The ISA Server’s name is not in DNS. C. Windows 2000 Professional clients don’t use DHCP. D. Windows NT clients can’t use WPAD in DHCP. 4. You’re trying to set up a local-to-remote VPN connection between
your headquarters office in the U.S. and a branch office in the U.K. Both offices have a robust Internet connection that has long been established. You install the ISA Server at your headquarters, and your administrator buddy installs the ISA Server in the U.K. shop. You’ve run the Local ISA VPN Wizard and have validated that the VPC file is ready to go. When your buddy tries to run the Remote ISA VPN Wizard, he isn’t allowed to do so. What could be the problem? A. The VPC file is corrupt. B. The ISA Server in the U.K. has been set up in cache mode. C. There is no secondary DNS server in the U.K. D. The U.K. ISA Server cannot contact the headquarters ISA Server
by hostname.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 481
5. You want to examine your ISA Server’s open ports by both protocol
and port number. What command will you use? A. netstat -n B. telnet port_number C. netstat -a D. telnet number port_number E. netstat -q 6. You’ve recently installed two ISA Servers on your network. Because
you’re so busy, you outsourced the work to a contractor whom you brought in specifically for this purpose. After the installation of the ISA Servers, you immediately get complaints that users cannot receive Internet e-mail items anymore. You check the enterprise protocol rules (see the Available Protocol Rules screen in the exhibit). You also examine the enterprise site and content rule, which is set to allow all users access to all sites at all times. You examine the IP packet filter rules as well (see the Available Packet Filters screen in the exhibit). What could be the problem?
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
482
Chapter 8
■
Troubleshooting ISA Server
A. The enterprise policy has been allowed to be overriden by the
second ISA Server. B. The IP packet filter No SMTP is blocking incoming Internet
e-mail. C. The Exchange Server is not set up for server publishing. D. The enterprise protocol rule is blocking HTTPS. 7. You have a three-network enterprise consisting of a site in the U.S.,
another in Canada, and still another in South America (see exhibit). The Canadian site home-runs to the U.S. site. The South American site has its own connection to the Internet. Your ISA Server design should include the following elements: The Canadian site will be a caching-only site. The South American site will connect to the U.S. site via a VPN. The South American site will request URLs from the U.S. site only when the URL is from North America. Which of the following configurations will accomplish the desired outcomes? Canadian site
U.S. site
Internet
South American site
A. Set up an ISA Server in each of the sites. Install the South
American and Canadian servers in cache-only mode. Install the U.S. server in integrated mode. Set up a routing rule in the South American server to route all North American URL requests to the U.S. site. Set up a local-to-remote VPN connection between the U.S. and South American servers.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 483
B. Set up an ISA Server in each of the sites. Install the Canadian
server in cache-only mode. Install the U.S. and South American servers in integrated mode. Set up a routing rule in the South American server to route all North American URL requests to the U.S. site. Set up a local-to-remote VPN connection between the U.S. and Canadian servers. C. Set up an ISA Server in each of the sites. Install the Canadian
server in cache-only mode. Install the U.S. and South American servers in integrated mode. Set up a routing rule in the South American server to route all North American URL requests to the U.S. site. Set up a local-to-remote VPN connection between the U.S. and South American servers. D. Set up an ISA Server in each of the sites. Install the U.S. and
Canadian servers in cache-only mode. Install the South American server in integrated mode. Set up a routing rule in the U.S. server to route all North American URL requests to the South American site. Set up a local-to-remote VPN connection between the U.S. and South American servers. 8. You’re at a technical conference in another city when you get a page
that the ISA Server doesn’t seem to be working. You don’t have your laptop with you—your only access to the Internet is through some Windows 2000 Professional demonstration computers in the vendor exhibitor area of the conference. What tool can you use to do some elementary testing on the ISA Server from this computer? A. Network Monitor B. Ping C. Netstat D. Telnet 9. You’ve recently set up a local-to-remote VPN connection between
your headquarters office in New York and a branch office in a Los Angeles. Some clients are able to utilize the VPN, while others cannot. What could be the problem?
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
484
Chapter 8
■
Troubleshooting ISA Server
A. The client sets don’t contain all users. B. The Firewall clients are incorrectly configured. C. The SecureNAT clients point to wrong default gateway. D. The Firewall clients are not allowed. 10. Your ISA Server installation has been working perfectly. Recently
your training department has negotiated a contract with a vendor who supplies streaming classroom media from the Internet. As the vendor begins to install the equipment and software needed for this transaction, she notices that she cannot retrieve the Internet content. What could be the problem? A. The SecureNAT clients must have a protocol rule for every
protocol used. B. The Firewall clients must have a protocol rule for every protocol
used. C. The IP packet filter is dropping RealPlayer content. D. The vendor’s site needs to be added to the destination set. 11. You have a two-member ISA Server array—one computer is in
Site A, one in Site B (see exhibit). Site A’s ISA Server acts as the primary array member. You configure Site A’s server with an enterprise protocol rule that allows all HTTP and FTP outgoing requests for any destination at any time. Your administrator buddy in Site B installed and configured its ISA Server. Users in Site B are complaining that they cannot hit certain secure websites even though your buddy has configured a protocol rule to allow HTTPS traffic. What could be the problem?
Internet Site A ISA Server
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Site B ISA Server
Review Questions 485
A. ISA Server services must be restarted when a new rule is entered. B. Users must run the Firewall client to access HTTPS sites. C. Enterprise rules override member array rules. D. The Site B administrator has not entered a protocol definition for
HTTPS. 12. You’re the administrator for a little 20-node dentist’s office. You use
a dial-up connection to get to the office’s ISP. You install ISA Server on your one-and-only file and print server in hopes that you can get it to dial up the ISP and connect users to the Internet whenever they request a web page. On top of that, you want to take advantage of ISA’s caching capabilities. You’re disappointed to find that the installation doesn’t work as hoped. When users try to access a web page, the ISA Server sits there as dumb as a rock and doesn’t do anything. What could be the problem? (Select all that apply.) A. No remote access policy is defined. B. No dial-up entry is created in ISA Server. C. No phonebook entry is created in RRAS. D. The RRAS is stopped. E. The bandwidth limitations are too restrictive. F. The ISP is not accepting phonebook credentials. G. ISA Server is not running TCP/IP. 13. You want to set up your ISA Server as VPN client host. After
running the ISA Server Client VPN Wizard, you find that some users are unable to connect to the ISA Server. What could be the problem? Select two answers that represent the entire solution to the problem. A. The clients are not enabled for remote access. B. The client logon credentials can’t be validated. C. The client is trying to use L2TP. D. The client is trying to use PPTP.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
486
Chapter 8
■
Troubleshooting ISA Server
14. When you begin setting up a dial-up entry within ISA Server,
you’re prompted with this error message: “Only network dial-up connections that exist on all array members can be used. No such network dial-up connection exists.” What could be the problem? A. The RRAS is stopped. B. The Remote Access Connection Manager Service is stopped. C. There are no phonebook entries for this server. D. The modem, ISDN, or X.25 connection you’re using isn’t
working. 15. You’re working with a two-node ISA Server array and attempting
to configure a dial-up entry within the ISA Management console. When you try to browse out to select a dial-up connection, you’re presented with the following error message: “The Microsoft ISA Server Control service is inaccessible.” You check this particular service and find it to be operational. You stop and restart the service, but you continue to get the error message. Thus, you cannot complete your dial-up entry. What could be the problem? A. ISA Server is unable to communicate with the service
through WMI. B. One of the ISA Server dependency services hasn’t started
correctly. C. The ISA Server Control service on the other array member isn’t
started. D. RRAS isn’t started. 16. You have a two-node ISA Server array. On the second node, you
cannot start the ISA services, and in the application event log you see this verbiage: “The Microsoft ISA Server Control service terminated with service-specific error 3221239556.” What should you do next? A. Check TechNet. B. Phone a friend. C. Reinstall ISA Server. D. Check the services to make sure their logon credentials are
correct and that dependency services are started.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Review Questions 487
17. You have a two-node array, SiteA and SiteB (see exhibit). Each site
has its own Internet connection. You want all URL activity directed toward military installations (MIL) to go through SiteA. After installing and configuring the ISA Servers, you are troubled to find that MIL URLs at SiteB are being obtained through SiteB. Where should you begin checking first?
SiteA
SiteB
Internet
A. Check enterprise site and content rules. B. Check SiteB protocol definitions. C. Check enterprise protocol definitions. D. Check SiteA protocol definitions. E. Check SiteB routing rules. 18. You’d like to be able to examine incoming packets and their
associated content. What troubleshooting utility or technique could you use? (Select all that apply.) A. Third-party protocol analyzers B. Telnet C. Netstat D. Network Monitor 19. You’re trying to set up a local-to-remote ISA Server VPN
installation. You get the local side successfully going, but when you try to run the remote ISA Server’s wizard, you get errors. What could be the problem? Select all that apply.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
488
Chapter 8
■
Troubleshooting ISA Server
A. The remote ISA Server isn’t a member of the local array. B. The local ISA Server can’t access the remote server to create the
account. C. The remote ISA Server doesn’t have a local DNS server it can
contact. D. The remote ISA Server’s VPC file is corrupt. E. The remote ISA Server’s LAT contains external entries. 20. You have an ISA Server running, and you’ve set up an internal web
server to host your corporate web pages to the Internet. When testing the installation, you find that you cannot access the web pages. What things should you check first? (Select all that apply.) A. Make sure that no protocol rules are blocking incoming HTTP
or HTTPS traffic. B. Make sure that you’re hosting on port 80 of the ISA Server’s
external NIC C. Make sure that you have an IP packet filter configured that
blocks all traffic on port 443. D. Make sure that you have an enterprise site and content rule
configured for all traffic all the time to all locations for all content groups. E. Make sure the web publishing rule is correctly set up.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 489
Answers to Review Questions 1. A, D. You must provide an enterprise site and content rule. Start
with one that’s generic—typically one that allows all users access to all sites at all times. Users become SecureNAT clients by virtue of having as their default gateway the address of the primary ISA Server. Since we’re told that both offices are having trouble with the access, we can assume that the branch office’s subnet has been keyed into the headquarters office LAT. 2. B, C, D. The remote access policy must contain entries for the
special VPN group you’ve created, and the members of that group must be enabled to utilize RRAS. The condition shown in the Add Remote Access Policy exhibit isn’t correct for VPN. You’ll need a two-condition policy that specifies the group and also specifies that the NAS is a virtual VPN. 3. D. Windows NT clients must use WPAD within DNS instead of
getting their WPAD information from DHCP. 4. B. We’re told in the question that your buddy “isn’t allowed to do
so,” which implies that the option is either grayed out or unavailable entirely. Hence, although the name server answers might be tempting, they’re probably not the correct choice. But, recall that if you’ve installed ISA Server in cache mode, you cannot utilize the VPN capabilities. 5. C. Netstat –a reveals both the protocol in use at a given port and
the port number. 6. B. The ISA Server test is one of those that requires a little knowledge
about a lot of different subjects. For example, don’t be shocked to see questions about Unix computers and, in this case, e-mail questions. SMTP uses port 25, and the IP packet filter rule that your contractor (evidently) set up is effectively blocking all incoming port 25 packets of type SMTP, thus effectively ruling out all incoming Internet e-mail. Even if no one noticed, eventually someone on the Internet would get an e-mail “bounce” and call his friend on the inside to make his friend aware that e-mail wasn’t getting in.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
490
Chapter 8
■
Troubleshooting ISA Server
7. C. The Canadian server need only be a caching server, so you can
install it in cache-only mode and make it an array member of the U.S. server. Both the U.S. and South American servers must be installed in integrated mode to facilitate VPN connectivity. You can set up a routing rule that will forward requests for North American URLs from South American users to the U.S. site. You’ll set up a local-to-remote VPN connection between the U.S. and South American servers—a wonderfully cost-effective way of leveraging the Internet for wide-area connectivity. 8. D. This is a time when Telnet might really be useful to you—
provided you know the ports that are open on your ISA Server. Simply Telnet to each of the ports to see if you get a reply. In this way, you may not be able to solve the problem entirely, but you can validate whether data is being allowed to specific ports on the ISA Server. 9. D. Recall that Firewall clients cannot use local-to-remote VPN
connections because they are unable to utilize Generic Routing Encapsulation, which is required by ISA VPN connections. 10. A. We’re not told what type of client the site is using, but it’s a safe
bet that most installations will make use of the SecureNAT client (it’s way easier to update a default gateway through DHCP than to visit each PC and install the Firewall client). The SecureNAT clients must have a protocol rule for each protocol they’re using. The vendor must stipulate what protocol is in use for the streamed content, and a protocol rule must be entered into the ISA Server. 11. C. Enterprise rules override member array rules. Thus, even if the
administrator in Site B has tried to allow HTTPS traffic, users will not be able to access the secure websites because the enterprise policy doesn’t allow the protocol. Incidentally, HTTPS happens to be one of the default preconfigured enterprise protocol definitions, so don’t get stymied if you see item D on a real-life test. 12. A, B, C, D, E, F. All of the above could be potential problem areas,
with the exception of the uninstalled protocol. ISA Server will prompt you that it requires TCP/IP before it can install.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Answers to Review Questions 491
13. A, B. Clients either are not enabled for remote access through
Windows Active Directory Users And Computers or are not using the correct credentials. By default, when you run the ISA Server Client VPN Wizard, both PPTP and L2TP IP packet filters are created, so the client Windows platform should not be an issue. 14. C. You must first key in a phonebook entry through the Win-
dows 2000 Network And Dial-up Connections window, and then configure an ISA Server dial-up connection using the name of the phonebook entry you made. 15. C. This is a real Homer Simpson move. (I know because I got caught
trying to do it!) First of all, you’re in the wrong node of the array. Let’s say, for example, that you have ServerA and ServerB, the former being the primary server in the array. You’re on ServerA trying to configure a dial-up entry. But you’ve inadvertently surfed into ServerB’s node and are erroneously trying to configure a dial-up connection on ServerB. Unfortunately, ServerB’s control is actually stopped, but it takes you about an hour-and-a-half to figure it out because you don’t realize you’re in the wrong node! Doh! First fix the control-service problem on ServerB; then get on the right node and set up your dial-up connection. 16. D. First things first—check the service(s) to make sure their logon
credentials are correct and that their associated dependency services are started. In the Windows NT 4 days, figuring out dependency services was a by-gosh-or-by-golly effort, but in Windows 2000, you can bring up the Properties sheet for a service, click its Dependencies tab, and figure out what other neurons have to fire for this service to start. The ISA services use the LocalSystem account, so generally you wouldn’t think you’d get in the weeds with a credentials issue (though I’ve run into problems like this before and have fixed it by entering an administrator-like account). Next, check TechNet to see if you can find any hits on this particular error. Also check with friends to see if they’ve ever run into this situation. Finally, when all else fails (or a Microsoft Systems Engineer advises you to do so), reinstall the software.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
492
Chapter 8
■
Troubleshooting ISA Server
17. E. In order to provide the kind of granularity you seek with the MIL
URLs, you need a routing rule. Evidently it’s not firing, hence SiteB clients are able to grab MIL URLs from SiteB’s ISA Server. Start with the routing rule. 18. A, D. You want to use a protocol analyzer to sniff the incoming
packets and give you information on the contents of the packets, destination and source ports, etc. You can use a third-party solution for this, or you can use the Windows 2000 Network Monitor. If you have Microsoft Systems Management Server 2.0 installed, you can use its more robust Network Monitor as well. 19. A, C, D. You must have a secondary DNS server running in the
remote site, one that’s secondary to the local server’s primary DNS. The remote server also needs to be a member of the local array. And there can be no external entries in its LAT. 20. A, B. Incoming clients operate in a different context than outgoing
clients. For example, you don’t care about site and content rules because they apply to outgoing requests, not incoming. Essentially, the things that are going to hinder your ability to reverse-host websites revolve around the port and NIC you’re publishing on, the publishing rule, and the fact that you may have a protocol rule or IP packet filter blocking specific incoming requests.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
494
Glossary
A
ACE See access control entry. ACK See acknowledgment.
A record (Address record or Host record) An entry record in the DNS database that maps the hostname of a computer with its IP address. access control entry (ACE) An item used by the operating system to determine resource access. Each access control list (ACL) has an associated ACE that lists the permissions that have been granted or denied to the users and groups listed in the ACL. access control list (ACL) An item used by the operating system to determine resource access. Each object (such as a folder, network share, or printer) in Windows 2000 has an ACL. The ACL lists the security identifiers (SIDs) contained by objects. Only those identified in the list as having the appropriate permission can activate the services of that object. access policy The set of rules that define the protocols, sites, and content that users behind an ISA Server are allowed to access. access token An object containing the security identifier (SID) of a running process. A process started by another process inherits the starting process’s access token. The access token is checked against each object’s access control list (ACL) to determine whether or not appropriate permissions are granted to perform any requested service.
acknowledgment The control code that is sent by the receiving computer to the sender informing it that the information packet was properly received and that it is all right to send the next one. ACL
See access control list.
active caching ISA Server automatically retrieves web content before it expires, thereby keeping the cached material fresh for users. adapter Any hardware device that allows communications to occur through physically dissimilar systems. This term usually refers to peripheral cards that are permanently mounted inside computers and provide an interface from the computer’s bus to another medium such as a hard disk or a network. alert A warning trigger that is activated by predefined conditions such as cache initialization failures, service shutdowns, or even intrusion detections. Alerts can be configured to log an entry to the event log or even send an e-mail message or page to you. Anonymous Logon group A Windows 2000 special group that includes users who access the computer through anonymous logons. Anonymous logons occur when users gain access through special accounts, such as the IUSR_computername and
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary 495
TsInternetUser user accounts. Normally, a password is not required, so that anyone can log on.
bandwidth priorities The relative amount of available bandwidth you assign to a particular type of external traffic.
application filters Allows for an added layer of security by providing applicationspecific filtering. Application filters examine the data stream, and not just the specific packet, looking for allowable content.
bandwidth throttling A method for limiting the maximum amount of bandwidth that can be used by a web server.
Application layer The seventh (top) layer of the Open Systems Interconnection (OSI) model that interfaces with application programs by providing high-level network services based on lower-level network layers. Application log A log that tracks events that are related to applications running on the computer. The Application log can be viewed in the Event Viewer utility. Authenticated Users group A Windows 2000 special group that includes users who access the Windows 2000 operating system through a valid username and password. autodiscovery The process by which a web browser can locate an ISA Server on a network without any user input. Autodiscovery makes use of configuration settings enabled in either DNS or DHCP.
baseline A snapshot record of a computer’s current performance statistics that can be used for performance analysis and planning purposes. bastion host The computer system that sits at the edge of a private network and guards against external threats. binding The process of linking together software components, such as network protocols and network adapters. BootP (Bootstrap Protocol) A protocol that enables a diskless workstation to discover its own IP address or the IP address of a DHCP server on your network. This, in turn, allows the workstation to boot without requiring a hard disk or floppy drive. bottleneck A system resource that is inefficient compared with the rest of the computer system as a whole. The bottleneck can cause the rest of the system to run slowly.
B bandwidth The total capacity of the transmission media. Bandwidth is commonly expressed as bits per second (bps) or as hertz (frequency).
Copyright ©2001 SYBEX, Inc., Alameda, CA
C Cache Array Routing Protocol (CARP) Microsoft’s algorithm that allows multiple proxy servers configured in an array to
www.sybex.com
496
Glossary
distribute retrieved web objects across a single logical cache. Through the use of CARP, client requests for web objects can be directed to the appropriate server that contains the requested information. caching A speed-optimization technique that keeps a copy of the most recently used data in a fast, high-cost, low-capacity storage device rather than in the device on which the actual data resides. Caching assumes that recently used data is likely to be used again. Fetching data from the cache is faster than fetching data from the slower, larger storage device. Most caching algorithms also copy data that is most likely to be used next and perform write-back caching to further increase speed gains. CAL CARP
See Client Access License. See Cache Array Routing Protocol.
carrier A frequency in a communications channel modulated to carry analog or digital signal information. For example, an FM radio transmitter modulates the frequency of a carrier signal, and the receiver processes the carrier signal to extract the analog information. An AM radio transmitter modulates the amplitude of a carrier signal. certificate A digital attachment to an electronic message that is used for authentication purposes. One of the most common uses is to verify that the user sending a message is who they claim to be. Certificates can be acquired from a third-party Certificate Authority (CA),
such as VeriSign or Equifax, or can be issued in-house by configuring your own CA using Microsoft’s Certificate Service. circuit filtering Similar to packet filtering, circuit filtering looks at the session instead of the connection. Circuit filtering allows an administrator to define secondary ports that are opened by an application after the initial connection has been made, thereby allowing the application to function through the firewall. client A computer on a network that subscribes to the services provided by a server. Client Access License (CAL) A license that allows a computer to legally access a Windows 2000 server or domain controller. Client Access Policy The set of rules defined in ISA that determine which clients are allowed to access particular websites and the protocols they are allowed to use. Client Address Set A grouping of internal computers that may be used by an access policy to either allow or deny access for outgoing web requests. cluster A group of computers acting together as a single logical machine to provide fault tolerance and failover for network services. cluster node A specific member computer of a cluster.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary 497
CNAME record (alias) A DNS entry record that allows you to assign additional hostnames to a single machine or a single hostname to multiple machines.
provides the digital interconnection of network devices and the software that directly operates these devices, such as network adapters.
COM port Communications port. A serial hardware interface conforming to the RS-232C standard for low-speed, serial communications.
DDR
Committed Information Rate (CIR) A specified amount of guaranteed bandwidth (measured in bits per second) on a Frame Relay service. Typically, when purchasing a Frame Relay service, a company can specify the CIR level they wish. The Frame Relay network vendor guarantees that frames not exceeding this level will be delivered. It’s possible that additional traffic may also be delivered, but it’s not guaranteed. connection-oriented service A type of connection service in which a connection (a path) is established and acknowledgments are sent. This type of communication is reliable but has a high overhead. connectionless service A type of connection service that does not establish a connection (path) before transmission. This type of communication is fast, but it is not very reliable.
D Data Link layer In the Open Systems Interconnection (OSI) model, the layer that
Copyright ©2001 SYBEX, Inc., Alameda, CA
See demand-dial routing.
dedicated IP address The IP address used by the Network Load Balancing service of Windows 2000 to distinguish the individual hosts of a cluster. default gateway A TCP/IP configuration option that specifies the gateway that will be used if the network contains routers. demand-dial routing (DDR) A routing mechanism that allows a user to utilize existing telephone lines, or Public Switched Telephone Networks, to form a WAN instead of using dedicated connections. Typically implemented by users who do not need a permanent, continuous link between sites, the connection becomes active only when data is sent to the remote site. When no data has been sent over the link for a specified length of time, the link is disconnected. demand-dial routing connections Support for both inbound connections and outbound connections for a RAS server. Resources located across a WAN connection requiring a modem, or other similar dialing device, can be automatically connected by the system upon request for those items. demarc (d-mark, demarcation) The point at which the carrier from your provider
www.sybex.com
498
Glossary
terminates and is then connected to your internal network. demilitarized zone (DMZ) A network that sits between the secured private network and an unsecured external network, typically the Internet, providing an additional layer of security. destination set External computers of directories you wish to either allow or deny access to from internal ISA Server clients. dial-up networking A service that allows remote users to dial into the network or the Internet (such as through a telephone or an ISDN connection). Dialup group A Windows 2000 special group that includes users who log on to the network from a dial-up connection. directives Additional information contained in a W3C-format log file that records version, date, and logged fields as well as the actual data. discard eligible The portion of bandwidth that exceeds the Committed Information Rate and is considered expendable if necessary.
DNS See Domain Name System. Domain Name System (DNS) The TCP/IP network service that translates fully qualified domain names (or hostnames) into IP addresses. domain user account A user account that is stored in the Windows 2000 Server Active Directory’s central database. A domain user account can provide a user with a single user account for a network. Also called an Active Directory user account. downstream servers When ISA Servers are configured in a chain, one server passes information requests to another server that is connected to the Internet; the server that is closer to the client and removed from the Internet is considered to be downstream. dynamic packet filtering The process by which ports are opened and closed on the firewall only in response to client requests for services or applications.
E EB
distributed caching A system by which a group of ISA Servers is configured as an array and is then managed as a single logical entity. These servers share the cached content among all the servers in the array, thereby distributing the content among the array members. Distributed caching also allows for both load balancing and fault tolerance of the cache.
See exabyte.
enterprise initialization The process of expanding the Active Directory schema, populating it with the necessary attributes and objects to support ISA Server arrays in an enterprise environment.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary 499
Ethernet The most popular Data Link layer standard for local area networking. Ethernet implements the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) method of arbitrating multiple computer access to the same network. This standard supports the use of Ethernet over any type of media, including wireless broadcast. Standard Ethernet operates at 10Mbps. Fast Ethernet operates at 100Mbps. Event Viewer A Windows 2000 utility that tracks information about the computer’s hardware and software, as well as security events. This information is stored in three log files: the Application log, the Security log, and the System log. Everyone A Windows 2000 special group that includes anyone who could possibly access the computer. The Everyone group includes all of the users (including Guests) who have been defined on the computer. exabyte A computer storage measurement equal to 1,024 petabytes. expiration policy Settings that define when certain web content is no longer “fresh” and should be updated by the ISA Server. external interface The connection mechanism joining your ISA Server to the Internet or other outside network that you wish to protect yourself from. This could be a second network interface card or even a modem or DSL connection.
Copyright ©2001 SYBEX, Inc., Alameda, CA
F fault tolerance Any method that prevents system failure by tolerating single faults, usually through hardware redundancy. File Transfer Protocol (FTP) A simple Internet protocol that transfers complete files from an FTP server to a client running the FTP client. FTP provides a simple, low-overhead method of transferring files between computers but cannot perform browsing functions. Users must know the URL of the FTP server to which they wish to attach. firewall A device that is placed between the internal and external network and used to filter all traffic either entering or leaving the protected private network. Firewalls examine all traffic that passes through their doors and compares these packets to rules in order to determine if the information is allowed or not. Firewalls may be implemented as either hardware or software solutions, or both. ISA is an example of a firewall software solution. firewall chaining The ability to arrange ISA Servers in a linked chain such that down-level servers can forward requests for external access to up-level servers that are closer or better connected to the Internet. Firewall client Requires that the Firewall Client software be installed on the client computer. Allows for user-based access restrictions to be enforced.
www.sybex.com
500
Glossary
forward caching Used to provide internal clients access to web objects on the Internet. Retrieved web content is stored locally on the ISA Server’s hard drive. Additional requests for the same object are then fulfilled from the cached content without the need to return to the Internet.
groups Security entities to which users can be assigned membership for the purpose of applying the broad set of group permissions to the user. By managing permissions for groups and assigning users to groups, rather than assigning permissions to users, administrators can more easily manage security.
forwarder Supplies directions for a service as to where it should pass on information requests when the service itself does not know the answer or have the information.
GUI
frame A data structure that network hardware devices use to transmit data between computers. Frames consist of the addresses of the sending and receiving computers, size information, and a checksum. Frames are envelopes around packets of data that allow the packets to be addressed to specific computers on a shared media network. FTP See File Transfer Protocol.
G GB
See gigabyte.
gigabyte A computer storage measurement equal to 1,024 megabytes. graphical user interface (GUI) A computer shell program that represents mass-storage devices, directories, and files as graphical objects on a screen. A cursor driven by a pointing device such as a mouse manipulates the objects.
See graphical user interface.
H H.323 A standard approved by the International Telecommunications Union (ITU) that defines how audiovisual conferencing data is transmitted across networks. hard disk drive A mass-storage device that reads and writes digital information magnetically on disks that spin under moving heads. Hard disk drives are precisely aligned and cannot normally be removed. Hard disk drives are an inexpensive way to store gigabytes of computer data permanently. Hard disk drives also store the software installed on a computer. hardware compatibility list (HCL) A list of all of the hardware devices supported by Windows 2000. Hardware on the HCL has been tested and verified as being compatible with Windows 2000. HCL
See hardware compatibility list.
helper address The address that is configured on an interface to which broadcasts that are received by that interface will be sent.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary 501
HOSTS file A file that is used to map IP addresses to hostnames. A HOSTS file can be used in place of a DNS server. HTML
See Hypertext Markup Language.
HTTP
See Hypertext Transfer Protocol.
that operates at 64KB per channel over regular twisted-pair cable. Up to 24 channels can be multiplexed over two twisted pairs. Interactive group A Windows 2000 special group that includes all the users who use the computer’s resources locally.
HTTP Redirector filter Intercepts a web request for a specified destination from a client and then redirects it to an alternate site as determined by the administrator.
interactive logon A logon in which the user logs on from the computer where the user account is stored on the computer’s local database. Also called a local logon.
hyperlink A link within text or graphics that has a web address embedded in it. By clicking the link, a user can jump to another web address.
interactive user A user who physically logs on to the computer where the user account resides (rather than over the network).
Hypertext Markup Language (HTML) A textual data format that identifies sections of a document such as headers, lists, hypertext links, and so on. HTML is the data format used on the World Wide Web for the publication of web pages. Hypertext Transfer Protocol (HTTP) An Internet protocol that transfers HTML documents over the Internet and responds to context changes that happen when a user clicks a hyperlink.
I IIS
See Internet Information Services.
inbound connections Connections that allow incoming access to an RAS server. Integrated Services Digital Network (ISDN) A direct, digital, dial-up connection
Copyright ©2001 SYBEX, Inc., Alameda, CA
interfaces All of the different connections on your server, whether they are internal or external, that physically join your server to the network. These could be a network interface card (NIC), modem, or other mechanism. Intermediate Data Facility (IDF) A room or closet separate from the Main Data Facility (MDF) that houses switches, patch panels, hubs, cabling, and other network interconnecting equipment. IDFs are usually found in outlying areas of a building or campus and serve as a connecting point between users and the MDF. internal interface The connection or connections on your ISA Server that join it to your private network. Internet Control Message Protocol (ICMP) An extension to the Internet Protocol (IP) defined by RFC 792. ICMP supports packets
www.sybex.com
502
Glossary
containing error, control, and informational messages. Ping, as an example, uses ICMP to test a network connection. Internet Explorer A World Wide Web browser produced by Microsoft and included with Windows 9x, Windows NT 4, and now Windows 2000. Internet Information Services (IIS) Software that serves Internet higher-level protocols like HTTP and FTP to clients using web browsers. The IIS software that is installed on a Windows 2000 Server computer is a fully functional web server and is designed to support heavy Internet usage. Internet Locator Service (ILS) Provides a standards-based solution for a dynamic directory that allows users to easily find each other on the Internet or an intranet. Used to publish IP multicast conferences or H.323 IP telephony, ILS makes it easier to manage applications such as Microsoft NetMeeting. Internet Packet Exchange/Sequenced Packet Exchange (IPX/SPX) A networking protocol developed by Novell and used in Novell NetWare networks. Windows implements IPX through its NWLink protocol.
IP provides a simple connectionless packet exchange. Other protocols such as TCP use IP to perform their connection-oriented (or guaranteed delivery) services. Internet Protocol Security (IPSec) A suite of encryption services and security protocols that allow you to protect the traffic on your network, not only between remote sites but within the local area network as well. IPSec allows for confidentiality through encryption, authentication through digital signatures or shared keys, and data integrity by incorporating a checksum for verification. Internet Relay Chat (IRC) A chat system that allows multiple users to simultaneously join in a real-time discussion forum over the Internet. Internet Server Application Programming Interface (ISAPI) filter A method for directing web browser requests for specific URLs to specific ISAPI applications, which are then run. ISAPI filters are commonly used to manage customized logon authentication. Internet Service Provider (ISP) A company that provides dial-up connections to the Internet.
Internet Print Protocol (IPP) A Windows 2000 protocol that allows users to print directly to a URL. Printer- and jobrelated data are generated in HTML format.
Internet Services Manager A Windows 2000 utility used to configure the protocols that are used by Internet Information Services (IIS) and Personal Web Services (PWS).
Internet Protocol (IP) The Network layer protocol upon which the Internet is based.
internetwork A network made up of multiple network segments that are connected with
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary 503
some device, such as a router. Each network segment is assigned a network address. Network layer protocols build routing tables that are used to route packets through the network in the most efficient manner. internetworking The collection of routers, switches, hubs, and cabling that constitute a network infrastructure. interprocess communications (IPC) A generic term describing any manner of client/ server communication protocol, specifically those operating in the Application layer. IPC mechanisms provide a method for the client and server to trade information. intranet A privately owned network based on the TCP/IP protocol suite. intrusion detection filter Special packet or application filters designed to look for specific intrusion methods, and stop them.
IPCONFIG A command used to display the computer’s IP configuration. IPP See Internet Print Protocol. ISAPI filter See Internet Server Application Programming Interface filter. ISDN See Integrated Services Digital Network. ISP
See Internet Service Provider.
K Kerberos A security protocol that is used in Windows 2000 Server to authenticate users and network services. This is called dual verification, or mutual authentication. Windows 2000 Server uses Kerberos version 5.
L
IP See Internet Protocol. LAT IP address A four-byte number that uniquely identifies a computer on an IP internetwork. IP fragment filters Filters designed to detect and drop fragmented packets to help protect against several well-known attacks. However, certain applications such as streaming audio also make use of fragments to deliver their large payload across the network. IPC
See interprocess communications.
Copyright ©2001 SYBEX, Inc., Alameda, CA
See Local Address Table.
Layer 2 Tunneling Protocol (L2TP) An Internet tunneling protocol that, unlike PPTP, does not require IP-based connectivity. L2TP is used for setting up a secure communication channel from client to server, or even from server to server, across a public network such as the Internet. It provides authentication for the connection as well as the underlying tunnel. Encryption for an L2TP tunnel is provided by IPSec. LDT
See Local Domain Table.
www.sybex.com
504
Glossary
listeners The configured authentication method for a particular internal network adapter that “listens” for outgoing web requests. LLC sublayer See Logical Link Control sublayer. Local Address Table (LAT) The ISA routing table used to determine if a destination address is local to the network, and therefore should remain internal, or if the destination is external and should be looked for on the Internet. Local Domain Table (LDT) Similar to the Local Address Table (LAT), the LDT allows you to designate particular domain names as local to the ISA network and therefore should not be sought outside. Logical Link Control (LLC) sublayer A sublayer in the Data Link layer of the Open Systems Interconnection (OSI) model. The LLC sublayer defines flow control.
M MAC (Media Access Control) address The physical address that identifies a computer. Ethernet and Token Ring cards have their MAC address assigned through a chip on the network card. MAC sublayer See Media Access Control sublayer.
Mail Server Security Wizard A take-youby-the-hand configuration tool for setting up the needed rules and filters for allowing secure access to your mail server behind an ISA Server. Main Data Facility (MDF) The primary network closet or room. The MDF usually contains switches, routers, hubs, uninterruptible power supplies (UPS), servers, printers, routers, cabling, and other networking gear. The MDF often will have cabling that connects outlying closets (such as in a wing of a building) to itself so that outlying users have a way of connecting to the data facility. MB
See megabyte.
Media Access Control (MAC) sublayer A sublayer in the Data Link layer of the Open Systems Interconnection (OSI) model. The MAC sublayer is used for physical addressing. megabyte (MB) A computer storage measurement equal to 1,024 kilobytes. member server A Windows 2000 Server that has been installed as a non-domain controller. This allows the server to operate as a file, print, and application server without the overhead of account administration. memory Any device capable of storing information. This term is usually used to
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary 505
indicate volatile random access memory (RAM) capable of high-speed access to any portion of the memory space, but incapable of storing information without power. Microsoft Management Console (MMC) A standard interface into which applicationcontrol applets (snap-ins) are placed, allowing you to configure their services and/or functionality. MMC
See Microsoft Management Console.
modem Modulator/demodulator. A device used to create an analog signal suitable for transmission over telephone lines from a digital data stream. Modern modems also include a command set for negotiating connections and data rates with remote modems and for setting their default behavior. multi-homed A server that contain two or more network adapters, allowing it to connect to multiple segments of a network. This allows the server to control or route traffic between the segments. mutual authentication The type of authentication used with Kerberos version 5. With mutual authentication, the user is authenticated to the service and the service is authenticated to the user. MX record Mail exchange record; a record in the DNS database that identifies the mail servers on your network based on the domain name used in the address.
Copyright ©2001 SYBEX, Inc., Alameda, CA
N NAT
See Network Address Translation.
NetBEUI See NetBIOS Extended User Interface. NetBIOS Extended User Interface (NetBEUI) A simple Network layer transport protocol developed to support NetBIOS installations. NetBEUI is not routable, and so it is not appropriate for larger networks. NetBEUI is the fastest transport protocol available for Windows 2000. NetWare A popular network operating system developed by Novell in the early 1980s. NetWare is a cooperative, multitasking, highly optimized, dedicated-server network operating system that has client support for most major operating systems. Recent versions of NetWare include graphical client tools for management from client stations. At one time, NetWare accounted for more than 70 percent of the network operating system market. Network Access Server (NAS) The server on your network that accepts the Point-toPoint Protocol (PPP) connection from remote clients. network adapter The hardware used to connect computers (or other devices) to the network. Network adapters function at the Physical layer and the Data Link layer of the Open System Interconnection (OSI) model.
www.sybex.com
506
Glossary
Network Address Translation (NAT) The process by which the internal client’s IP address is converted and mapped to an external address of the translating server. Network layer The layer of the Open System Interconnection (OSI) model that creates a communication path between two computers via routed packets. Transport protocols implement both the Network layer and the Transport layer of the OSI stack. For example, IP is a Network layer service. Network Load Balancing (NLB) A service in Windows 2000 that controls the distribution of traffic across multiple servers to provide better reliability and scalability for Internet server applications. Network News Transfer Protocol (NNTP) An Internet protocol used to provide newsgroup services between NNTP servers and NNTP clients. NNTP See Network News Transfer Protocol.
O Open Systems Interconnection (OSI) model A reference model for network component interoperability developed by the International Organization for Standardization (ISO) to promote cross-vendor compatibility of hardware and software network systems. The OSI model splits the process of networking into seven distinct services, or layers. From top to bottom, the layers are Application, Presentation, Session, Transport, Network, Data Link, and Physical. Each layer uses the services of the layer below to provide its service to the layer above. OSI model See Open Systems Interconnection model. outbound connections Connections that allow users to dial out to external resources through an RAS server.
P
node A single processing location, a node can be a computer or other device, such as a printer. Each node has a unique IP address used to distinguish it on the network.
packet filter A static filter used to specify the type of IP traffic that is either specifically allowed or denied into or out of your network. These filters can evaluate packets based upon protocol (TCP, UDP, ICMP), port number, destination address, or source address.
NWLINK IPX/SPX/NetBIOS Compatible Transport Microsoft’s implementation of the Novell IPX/SPX protocol stack.
PASV mode A connection mode of the FTP protocol that arbitrarily chooses the data port for packet transfer.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary 507
PB
See petabyte.
performance counter A data item that is associated with a system object. It measures a particular aspect of that object’s performance. Examples include the Pages Per Second counter of the Memory object or the % Processor Time counter of the Processor object. Performance Logs and Alerts A Windows 2000 utility used to log performancerelated data and generate alerts based on performance-related data. Performance Monitor See System Monitor. performance object The particular system object or service, such as memory, processor, or web service, that you wish to monitor. perimeter network A small, secured network that contains resources you wish to make available to external users. Secured from the outside by a firewall or other means, it is also separated from the rest of the internal, private network as well. petabyte A computer storage measurement that is equal to 1,024 terabytes. Physical layer The first (bottom) layer of the Open Systems Interconnection (OSI) model, which represents the cables, connectors, and connection ports of a network. The Physical layer contains the passive physical components required to create a network.
Copyright ©2001 SYBEX, Inc., Alameda, CA
physical port A serial (COM) or parallel (LPT) port that connects a device, such as a printer, directly to a computer. PING A command used to send an Internet Control Message Protocol (ICMP) echo request and echo reply to verify that a remote computer is available. Point-to-Point Protocol (PPP) A remote access protocol used with Windows 2000. PPP supports framing and authentication protocols. PPP is used to negotiate configuration parameters for local access protocols such as TCP/IP, IPX, and NetBEUI. Point-to-Point Tunneling Protocol (PPTP) A tunneling protocol used for securely connecting remote users to the private network across the Internet or another intervening network. policies General controls that enhance the security of an operating environment. In Windows 2000, policies affect restrictions on password use and rights assignments and determine which events will be recorded in the Security log. policy element The individual components that are used to create rules. Policy elements can include items such as schedules, client address sets, and protocol definitions. port The specific connection point for the TCP or UDP protocol in use. SMTP normally
www.sybex.com
508
Glossary
uses port 25, while HTTP normally uses port 80. It is necessary to know which port an application uses in order for that particular door to be opened or closed in the firewall. PORT mode A connection mode of the FTP protocol that sets the data transfer port to its typical TCP port, port 21. PPP See Point-to-Point Protocol. PPTP See Point-to-Point Tunneling Protocol. Presentation layer The layer of the Open Systems Interconnection (OSI) model that converts and translates (if necessary) information between the Session layer and Application layer. primary IP address The address that is assigned to an NLB cluster to identify the cluster as a whole. Client machines use the primary, or cluster, IP address to direct traffic for service requests. The Network Load Balancing service intercepts these requests and then disperses them among the individual nodes. protocol An established rule of communication adhered to by the parties operating under it. Protocols provide a context in which to interpret communicated information. Computer protocols are rules used by communicating devices and software services to format data in a way that all participants understand. protocol definition Can be either a predefined or user-defined protocol that clients
may use to communicate with external computers. You must include the port number used, protocol type (TCP or UDP), as well as the direction of the connection (inbound or outbound). protocol rules Determines which protocols users are allowed to use between the internal network and the Internet. Public Switched Telephone Network (PSTN) Everyone uses it, that good ol’ analog pushbutton (or rotary, for those of us old enough to remember one) telephone.
R RADIUS server See Remote Authentication Dial-In User Service server. RAID-5 volume A volume set that stripes the data over multiple disk channels. RAID-5 volumes place a parity stripe across the volume. RAID-5 volumes are fault tolerant. RAM See random access memory. random access memory (RAM) Integrated circuits that store digital bits in massive arrays of logical gates or capacitors. RAM is the primary memory store for modern computers, storing all running software processes and contextual data. RAS See Remote Access Service. RDP See Remote Desktop Protocol. redirection The ability to publish different websites on separate ports and allow ISA to
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary 509
redirect users’ requests toward the correct website.
resource Any useful service, such as a shared folder or a printer.
remote access policy A policy that specifies who is authorized to access an RAS server.
reverse caching Used to provide external clients the same caching benefits for internal web servers that the internal clients gain for external web content. ISA forwards requests to the internal web server from external clients and then caches the object locally for future requests.
Remote Access Service (RAS) A service that allows network connections to be established over a modem connection, an Integrated Services Digital Network (ISDN) connection, or a null-modem cable. The computer initiating the connection is called the RAS client; the answering computer is called the RAS server. Remote Access Service (RAS) server A Windows 2000 Server computer that is running the Routing and Remote Access Service. An RAS server authenticates and services requests from remote clients to connect to the network. Remote Authentication Dial-In User Service (RADIUS) server A server that stores a central authentication database and allows administrators to manage RAS servers from a single location. Remote Desktop Protocol (RDP) The protocol used with Terminal Services to allow Terminal Services clients to connect to the Terminal Services server. The Terminal Services server sends and receives commands to and from the client by using RDP. reports Information that summarizes the activity of an ISA Server for easy analysis.
Copyright ©2001 SYBEX, Inc., Alameda, CA
reverse hosting See server publishing. reverse proxy Instead of servicing requests from your internal clients for outside web information, reverse proxy handles requests from outside clients wishing to access information on your internal web servers. router A Network layer device that moves packets between networks. Routers provide internetwork connectivity. Routing and Remote Access Service A Windows 2000 Server service that allows an RAS server to connect mobile users to the network. routing rules The rules that determine what to do with a web proxy request, i.e., passed to an upstream server, redirected to a different location, or retrieved directly from the requested source. routing table An internal table configured from the network adapter information settings within the computer. This information
www.sybex.com
510
Glossary
is then used to determine which interface to send packets out of in order to further them along toward their final destination. RST The TCP flag that indicates that a possible error in transmission has occurred and that the current connection should be forcibly closed.
S schedule The days and times that a rule is effective. secure publishing Synonymous with server publishing or reverse hosting. ISA protects your web, e-mail, or other application servers from external attacks by inspecting incoming traffic and then forwarding only allowed packets to the proper server for the service requested. External clients see only the ISA Server, while the internal server accepts communications only from the ISA Server itself. security The measures taken to secure a system against accidental or intentional loss, usually in the form of accountability procedures and use restriction, for example through NTFS permissions and share permissions. Security log A log that tracks events that are related to Windows 2000 auditing. The Security log can be viewed through the Event Viewer utility.
SecureNAT client Clients that have configured the ISA Server as their default gateway. This configuration allows for caching of HTTP requests but does not support userbased authentication. server hosting Allows packets from outside the network to be forwarded to the intended internal server. server publishing See secure publishing. service A process dedicated to implementing a specific function for another process. Most Windows 2000 components are services used by user-level applications. Services A Windows 2000 utility used to manage the services installed on the computer. Session layer The layer of the Open Systems Interconnection (OSI) model dedicated to maintaining a bi-directional communication connection between two computers. The Session layer uses the services of the Transport layer to provide this service. share A resource such as a folder or printer shared over a network. share permissions Permissions used to control access to shared folders. Share permissions can only be applied to folders, as opposed to NTFS permissions, which are more complex and can be applied to folders and files.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary 511
shared folder A folder on a Windows 2000 computer that network users can access. Shared Folders A Windows 2000 utility for managing shared folders on the computer. Simple Mail Transport Protocol (SMTP) An Internet protocol for transferring mail between Internet hosts. Part of the suite of TCP/IP protocols, SMTP handles the exchange of electronic mail messages between servers. SMTP is often used to upload mail directly from the client to an intermediate host, but can only be used to receive mail by computers constantly connected to the Internet. site and content rules Used to determine the Internet sites and content that users are allowed access to. SMTP
See Simple Mail Transfer Protocol.
snap-in An administrative tool developed by Microsoft or a third-party vendor that can be added to the Microsoft Management Console (MMC) in Windows 2000. SOCKS A TCP proxy protocol for use across a firewall. ISA Server supports the SOCKS 4.3a standard. Software Developer’s Kit (SDK) Contains documented APIs and examples to help you develop your own web filters, application filters, scripts, and other tools. stateful inspection Allows ISA Server to determine the state of a session so that required ports remain open only as long as they are needed.
Copyright ©2001 SYBEX, Inc., Alameda, CA
subnet A logical network division of a single physical network address. Defined by use of the subnet mask to distinguish the host element of the address from the logical network portion, it is often also referred to as a broadcast domain. subnet mask A number mathematically applied to IP addresses to determine which IP addresses are a part of the same subnetwork as the computer applying the subnet mask. superscope Two or more defined DHCP address groupings combined into a single logical scope for servicing DHCP requests on a single interface or subnet. SYN The initial packet sent from the client to the server requesting an “audience” with the server. “Excuse me, may I have a moment of your time?” system hardening The process of locking down and restricting access to a server for protection purposes. System log A log that tracks events that relate to the Windows 2000 operating system. The System log can be viewed through the Event Viewer utility. System Monitor Formerly referred to as Performance Monitor and renamed to System Monitor in Windows 2000, this troubleshooting and diagnostic tool located in the Performance console allows an administrator to record and view real-time data about memory, processor, disk, and other system activity in either a graph, histogram, or report format.
www.sybex.com
512
Glossary
T Task Manager A Windows 2000 utility that can be used to start, end, or prioritize applications. The Task Manager shows the applications and processes that are currently running on the computer, as well as CPU and memory usage information. TB
See terabyte.
TCP
See Transmission Control Protocol.
TCP/IP See Transmission Control Protocol/ Internet Protocol. TCP/IP port A logical port, used when a printer is attached to the network by installing a network card in the printer. Configuring a TCP/IP port requires the IP address of the network printer to connect to. terabyte (TB) A computer storage measurement that equals 1,024 gigabytes. TFTP
See Trivial File Transfer Protocol.
Transmission Control Protocol (TCP) A Transport layer protocol that implements guaranteed packet delivery using the IP protocol.
TCP/IP is the default protocol for Windows 2000. Transport layer The Open Systems Interconnection (OSI) model layer responsible for the guaranteed serial delivery of packets between two computers over an internetwork. TCP is the Transport layer protocol in TCP/IP. transport protocol A service that delivers discreet packets of information between any two computers in a network. Higher-level, connection-oriented services are built on transport protocols. Trivial File Transfer Protocol (TFTP) A network application that is simpler than the File Transfer Protocol (FTP) but less capable. It is used where user authentication and directory visibility are not required. TFTP is used to download the Windows 2000 Client Installation Wizard from the RIS server to the RIS clients. TFTP uses the User Datagram Protocol (UDP).
U UDP See User Datagram Protocol. UNC
Transmission Control Protocol/Internet Protocol (TCP/IP) A suite of Internet protocols upon which the global Internet is based. TCP/IP is a general term that can refer either to the TCP and IP protocols used together or to the complete set of Internet protocols.
See Universal Naming Convention.
Uniform Resource Locator (URL) An Internet standard naming convention for identifying resources available via various TCP/IP application protocols. For example, http://www.microsoft.com is the URL for
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary 513
Microsoft’s World Wide Web server site, and ftp://gateway.dec.com is a popular FTP site. A URL allows easy hypertext references to a particular resource from within a document or mail message. A URL always has the domain name on the right and the host name on the left. uninterruptible power supply (UPS) An emergency power source that can provide a limited amount of power to a computer in the event of a power outage. Universal Naming Convention (UNC) A multivendor, multiplatform convention for identifying shared resources on a network. UNC names follow the naming convention \\computername\sharename. Universal Serial Bus (USB) Provides a common bus standard for connecting various types of peripherals. UPS
See uninterruptible power supply.
upstream server The server in an ISA chain that is positioned closer to the Internet and farther from the requesting client. URL See Uniform Resource Locator. USB
See Universal Serial Bus.
User Datagram Protocol (UDP) One of the two transport protocols of the TCP/IP protocol suite. Residing in the Transport layer of the protocol stack, UDP is used for quick, just-get-it-there transmissions because of its
Copyright ©2001 SYBEX, Inc., Alameda, CA
lack of error-checking control. Applications such as NetMeeting use UDP as opposed to its more complex, overhead-ridden brother, TCP.
V virtual memory A kernel service that stores memory pages not currently in use on a mass-storage device to free the memory occupied for other uses. Virtual memory hides the memory-swapping process from applications and higher-level services. virtual private network (VPN) A secure, encrypted tunnel through the Internet used to connect a remote client to your private network resources. VPC file The file that is created after running the Local VPN Configuration Wizard that contains the needed information for the remote connection server to be set up. VPN See virtual private network. VPN pass-through The ability to allow an external client to connect to a Routing and Remote Access server that is behind the ISA Server. VPN tunnel A communication channel between a remote client and the private network that encapsulates the data package within another package, thereby hiding the true payload from prying eyes.
www.sybex.com
514
Glossary
W web browser An application that makes HTTP requests and formats the resultant HTML documents for the users. Most web browsers understand all standard Internet protocols. web caching The process of storing frequently retrieved web objects in RAM (random access memory) or on the local hard drive of the ISA Server. Additional requests for the same material are then retrieved locally, improving response time. Web Proxy Autodiscovery Protocol (WPAD) The protocol used by ISA Server to determine the correct autodetect entry for Web proxy and Firewall clients seeking an ISA Server. Web proxy client Web browser requests from the client are sent directly to the ISA Server instead of being directed out to the Internet. ISA then attempts to fulfill the request from its local cache before downloading the item from the Internet. web publishing Allows for internal web servers to be available for external clients to access. Windows 9x The 32-bit Windows 95 and Windows 98 versions of Microsoft Windows for medium-range, Intel-based
personal computers. This system includes peer networking services, Internet support, and strong support for older DOS applications and peripherals. Windows 2000 Advanced Server The current version of the Windows server software designed for medium-size to large networks. It includes all of the features of Windows 2000 Server plus network load balancing, cluster services for application fault tolerance, support for up to 8GB of memory, and support for up to eight processors. Windows 2000 Datacenter Server The most powerful server in the Microsoft server family. This operating system is designed for large-scale enterprise networks. Windows 2000 Datacenter Server includes all of the features of Windows 2000 Advanced Server and adds more advanced clustering services, support for up to 64GB of memory, and support for up to 16 processors (OEM versions can support up to 32-way SMP). Windows 2000 Professional The current version of the Windows operating system for high-end desktop environments. Windows 2000 Professional integrates the best features of Windows 98 and Windows NT Workstation 4, supports a wide range of hardware, makes the operating system easier to use, and reduces the cost of ownership.
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com
Glossary 515
Windows 2000 Server The current version of the Windows server software designed for use in small to medium-sized networks. Windows 2000 Server can serve as a file and print server, an applications server, a web server, and a communications server.
Windows for powerful Intel, Alpha, PowerPC, or MIPS-based computers. This operating system includes peer networking services, server networking services, Internet client and server services, and a broad range of utilities.
Windows NT The predecessor to Windows 2000 that is a 32-bit version of Microsoft
Copyright ©2001 SYBEX, Inc., Alameda, CA
www.sybex.com