ExamInsight For Internet Security and Acceleration (ISA) Server 2000 Enterprise Edition Examination 70-227 Installing, Configuring, & Administering Microsoft Internet Security and Acceleration Server 2000 Enterprise Edition
Author Michael Yu Chak Tin MCSE 4.0/2000, MCSD, MCDBA 4.0/ 2000, CISSP CCNA, CCDA, CCSE, OCP, CSA Published by TotalRecall Publications, Inc. 1103 Middlecreek Friendswood, TX 77546 281-992-3131
NOTE: THIS IS BOOK IS GUARANTEED: See details at www.TotalRecallPress.com
TotalRecall Publications, Inc. This Book is Sponsored by BeachFront Quizzer, Inc. Copyright 2003 by TotalRecall Publications, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the United States Copyright Act of 1976, No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic or mechanical or by photocopying, recording, or otherwise without the prior permission of the publisher. If you are dissatisfied with the products or services provided, please contact Bruce Moran at, TotalRecall Publications, Inc., 1103 Middlecreek, Friendswood, TX 77546 . The views expressed in this book are solely those of the author, and do not represent the views of any other party or parties. Printed in United States of America Printed and bound by Data Duplicators of Houston Texas Printed and bound by Lightning Source, Inc. in the USA and UK ISBN: 1-59095-609-5 UPC: 6-43977-02227-1 The sponsoring editor is Bruce Moran and the production supervisor is Corby R. Tate.
Worldwide eBook distribution by:
InsideScoop®, TotalRecall™, ExamInsight™, and ExamWise™ are Trademarks of TotalRecall Publications, Inc. This publication is not sponsored by, endorsed by, or affiliated with Microsoft, Inc. The “Windows® 2000, MCSE™, MCSD™, MCSE+I™, MCT™” Microsoft logos are trademarks or registered trademarks of Microsoft, Inc. in the United States and certain other countries. All other trademarks are trademarks of their respective owners. Throughout this book, trademarked names are used. Rather than put a trademark symbol after every occurrence of a trademarked name, we used names in an editorial fashion only and to the benefit of the trademark owner. No intention of infringement on trademarks is intended. Disclaimer Notice: Judgments as to the suitability of the information herein for purchaser’s purposes are necessarily the purchaser’s responsibility. BeachFront Quizzer, Inc. and TotalRecall Publications, Inc. extends no warranties, makes no representations, and assumes no responsibility as to the accuracy or suitability of such information for application to the purchaser’s intended purposes or for consequences of its use.
Dedication This book is dedicated to my parents John and Esther Yu for their support and encouragement.
Michael Yu Chak Tin
ExamInsight For Windows® 2000 (ISA) Server Certification Examination 70-227 Installing, Configuring, & Administering Microsoft® Internet Security and Acceleration Server 2000 Enterprise Edition
BY Michael Yu Chak Tin MCSE 4.0/2000, MCSD, MCDBA 4.0/ 2000, CISSP CCNA, CCDA, CCSE, OCP, CSA About the Author Born in Hong Kong and educated in the US, Michael Yu Chak Tin has worked for Fortune 500 companies as well as small high-tech startups, both in Hong Kong and in the US. During his time in Silicon Valley, Michael developed invaluable experience in internal process improvement applications that automated much of his employer's operations. At Pacific Rim Networks Ltd., Michael has participated in the management of technology projects, and the evaluation of new technologies for business applications. For years, Michael has been providing content and writing exam study guides for the leading IT Certification sites worldwide. Michael has been working extensively on new Internet venture development. His experience and knowledge in shaping strategic framework are valuable assets essential to the success of a venture. Michael has been an active member and winner of high school Swimming and VolleyBall teams. Michael loves VolleyBall and Jet Skiing.
About the Editor Mark Eader holds a BS in Computer Information Systems from the University of Houston. He has many years of experience in networking, Cisco, Unix, Sun, Linux, Windows NT 4.0, Windows 2000, programming, and Web development in the IT arena. He is an entrepreneur who has worked for both big corporations and small IT companies.
A Quick overview of this book chapters: Chapter 1: Installing ISA Server
1
Chapter 2: Configuring ISA Server Services
39
Chapter 3: Policies and Rules
99
Chapter 4: The Client Computers
149
Chapter 5: Using ISA Servers
185
Appendix A:
233
Index
287
Money Back Book Guarantee
291
70-227 Practice Exam Purchase
292
Table of Contents VII
Table of Contents About the Author ......................................................................................IV
About the Editor ........................................................................................V
About the Book...................................................................................... XIV
Introduction ............................................................................................ XV
Foreword ............................................................................................... XVI
How to read this book .......................................................................... XVII
70-227 Exam Preparation Guide ........................................................ XVIII
Skills Being Measured .......................................................................... XIX
Chapter 1: Installing ISA Server
I II
III
IV V VI
1
Getting Ready - Questions ............................................................... 1
Getting Ready - Answers .................................................................. 2
Introduction ............................................................................................... 2
Pre-configuring network interfaces ........................................................... 3
Verifying Internet connectivity ................................................................... 3
Verifying DNS name resolution................................................................. 3
Pop Quiz 1.1 ........................................................................................ 3
ISA Server installation modes................................................................... 5
Local Address Table (LAT). ...................................................................... 8
Constructing the LAT ........................................................................... 8
Modifying the LAT ................................................................................ 9
The cache and configuration................................................................... 10
Calculating and Configuring the Size of the cache ............................ 11
Configuring HTTP Caching ................................................................ 11
Configuring FTP Caching................................................................... 12
Configuring Active Caching................................................................ 12
Configuring Negative Caching ........................................................... 12
Configuring Scheduled Download...................................................... 13
Installing the ISA Server as a member of an array ................................. 15
Pop Quiz 1.2 ...................................................................................... 15
Upgrading Proxy 2.0 Server to ISA Server ............................................ 17
Backing up the Proxy Server 2.0 configuration....................................... 17
Setup problems that may occur .............................................................. 18
Pop Quiz 1.3 ...................................................................................... 19
Chapter 1: Summary............................................................................... 21
VII Chapter 1: Practice Test ......................................................................... 22
VIII Chapter 1: Exercises............................................................................... 34
Lab 1.1 Installing Windows 2000 Server for ISA Server .................... 34
Lab 1.2 Installing ISA Server .............................................................. 36
VIII Table of Contents
Chapter 2: Configuring ISA Server Services
I
39
Getting Ready - Questions ............................................................. 39
Getting Ready - Answers ................................................................ 40
Introduction ............................................................................................. 40
II
Configuring outbound Internet access .................................................... 42
Troubleshooting outbound Internet access............................................. 44
Pop Quiz 2.1....................................................................................... 45
III Configuring ISA Server hosting roles...................................................... 47
Configuring ISA Server for Web publishing ............................................ 47
Configuring ISA Server for Server Proxy ................................................ 52
Configuring ISA Server for server publishing.......................................... 52
Pop Quiz 2.2....................................................................................... 53
IV Configuring H.323 Gatekeeper ............................................................... 55
Audio and video conferencing................................................................. 55
Configuring Gatekeeper rules ................................................................. 57
Gatekeeper Telephone Rules ............................................................ 58
Gatekeeper E-mail Rules ................................................................... 59
Gatekeeper Internet Protocol (IP) Rules............................................ 59
Configuring Gatekeeper destinations...................................................... 60
Pop Quiz 2.3....................................................................................... 61
V Routing and remote access connections ................................................ 63
Setting up dial-up connections................................................................ 63
Troubleshooting dial-up connections ...................................................... 63
Setting up routing connections................................................................ 64
Troubleshooting routing connections ...................................................... 64
Configuring remote access service and connections ............................. 65
Troubleshooting remote access connections ......................................... 65
Setting up dial-on-demand connections.................................................. 65
Troubleshooting dial-on-demand connections........................................ 66
Setting up and verifying routing rules...................................................... 66
Pop Quiz 2.4....................................................................................... 67
VI Virtual Private Network (VPN)................................................................. 69
Configuring Virtual Private Network (VPN) access................................. 69
Using the VPN Wizard ............................................................................ 70
Configuring VPN on the ISA Server without using the VPN Wizard....... 72
Troubleshooting Virtual Private Network (VPN) access ......................... 74
Setting up and troubleshooting connections for VPN ............................. 74
Pop Quiz 2.5....................................................................................... 75
VII Configuring multiple ISA Server scalability ............................................. 77
Configuring Network Load Balancing (NLB) ........................................... 77
Configuring Cache Array Routing Protocol (CARP) ............................... 78
VIII Chapter 2: Summary ............................................................................... 80
IX
Chapter 2: Practice Test ......................................................................... 81
Table of Contents IX X
Chapter 2: Exercises............................................................................... 88
Lab 2.1 Windows 2000 ISA Server Internet Access............................ 88
Lab 2.2 Configuring ISA Server Web publishing ................................. 90
Lab 2.3 Configuring ISA Server for Server Proxy................................ 92
Lab 2.4 Virtual Private Networks (VPN) .............................................. 94
Lab 2.5 Multiple ISA Server scalability ................................................ 96
Chapter 3: Policies and Rules
I II
III
IV
V
VI
VII
99
Getting Ready – Questions............................................................. 99
Getting Ready - Answers .............................................................. 100
Introduction ........................................................................................... 100
Corporate standard policies and rules .................................................. 101
Configuring security templates.............................................................. 101
Configuring the firewall ......................................................................... 102
Securing the firewall.............................................................................. 108
Troubleshooting the firewall .................................................................. 109
Controlling Outbound Access ............................................................... 110
Configuring access control policies....................................................... 110
Configuring bandwidth priority .............................................................. 112
Configuring bandwidth policies ............................................................. 113
Creating bandwidth rules to manage Internet access........................... 113
Creating site and content rules to restrict Internet access.................... 114
Creating protocol rules to manage Internet access .............................. 115
Creating routing rules to manage Internet access ................................ 116
Pop Quiz 3.1 .................................................................................... 117
Troubleshooting access problems ........................................................ 119
User based access problems................................................................ 119
Packet-based access problems ............................................................ 120
Creating new policy elements ............................................................... 121
Policy elements ..................................................................................... 121
Schedules ............................................................................................. 123
Bandwidth priorities............................................................................... 123
Destination sets..................................................................................... 123
Client address sets ............................................................................... 124
Protocol definitions................................................................................ 124
Content groups...................................................................................... 125
Pop Quiz 3.2 .................................................................................... 125
Managing ISA Server arrays................................................................. 127
Creating an array of Proxy Servers....................................................... 127
Assigning an enterprise policy to an array ............................................ 128
Managing remote arrays ....................................................................... 130
Chapter 3: Summary............................................................................. 131
VIII Chapter 3: Practice Test ....................................................................... 132
X Table of Contents IX
Chapter 3: Exercises............................................................................. 140
Lab 3.1 Configure access policies and rules ..................................... 140
Lab 3.2 Restricting Internet access with site and content rules ........ 142
Lab 3.3 Policy elements..................................................................... 144
Lab 3.4 Proxy Server array................................................................ 146
Chapter 4: The Client Computers
I
II
III
IV
V VI VII
149
Getting Ready - Questions ........................................................... 149
Getting Ready – Answers ............................................................. 150
Introduction ........................................................................................... 150
Deploying client computers ................................................................... 150
Configuring Firewall client ..................................................................... 151
Troubleshooting client computers ......................................................... 153
Planning the deployment of the client to use ISA Server services ...... 154
Client authentication.............................................................................. 154
Authentication Methods.................................................................... 154
Client operating systems....................................................................... 155
Network topology .................................................................................. 156
Cost and complexity.............................................................................. 156
Client functions...................................................................................... 157
Clients for SecureNAT .......................................................................... 158
Configuring client computers for SecureNAT ....................................... 158
Troubleshooting client computers for SecureNAT ................................ 158
Pop Quiz 4.1..................................................................................... 159
Installing Firewall client software .......................................................... 161
Complexity of deployment..................................................................... 161
Mspclnt.ini: ....................................................................................... 161
Wspcfg.ini:........................................................................................ 161
Cost of deployment ............................................................................... 162
Money............................................................................................... 162
Manpower......................................................................................... 162
Time ................................................................................................. 162
Firewall client auto detection................................................................. 162
Using an ISA Server as an HTTP Proxy ............................................... 164
Configuring the client computer's Web browser ................................... 164
ISA client comparison ........................................................................... 166
Pop Quiz 4.2..................................................................................... 167
Chapter 4: Summary ............................................................................. 169
VIII Chapter 4: Practice Test ....................................................................... 170
IX
Chapter 4: Exercises............................................................................. 178
Lab 4.1 Deployment of client computers ........................................... 178
Lab 4.2 SecureNAT ........................................................................... 180
Lab 4.3 HTTP Proxy .......................................................................... 182
Table of Contents XI
Chapter 5: Using ISA Servers
I
II
III
IV
V
VI
VII
185
Getting Ready - Questions ........................................................... 185
Getting Ready - Answers .............................................................. 186
Introduction ........................................................................................... 186
Managing ISA Server............................................................................ 186
Monitoring ISA Servers ......................................................................... 187
Analyzing ISA Servers .......................................................................... 187
Monitoring security and network usage ................................................ 190
Using logging ........................................................................................ 190
Security Logs ................................................................................... 190
Network Logs ................................................................................... 190
Configuring Logging ......................................................................... 191
Logging Packet Filter Activity ........................................................... 192
Using alerts ........................................................................................... 192
Configuring alerts .................................................................................. 193
Sending E-Mail Messages to Administrators ................................... 194
Automatic Alert Configuration .......................................................... 194
Monitor Alert Status.......................................................................... 194
Configuring intrusion detection ............................................................. 194
Pop Quiz 5.1 .................................................................................... 195
Troubleshooting network usage problems............................................ 197
Using Netstat......................................................................................... 197
Using Telnet .......................................................................................... 198
Testing the external ports using Network Monitor ................................ 198
Troubleshooting security problems ....................................................... 200
Using Netstat......................................................................................... 200
Using Telnet .......................................................................................... 200
Using Network Monitor.......................................................................... 200
Analyzing the performance of ISA Servers........................................... 201
Using reports......................................................................................... 201
Creating reports .................................................................................... 202
Viewing and saving reports................................................................... 203
Pop Quiz 5.2 .................................................................................... 203
Optimizing the performance of an ISA Server ...................................... 205
Capacity planning ................................................................................. 205
Allocation of priorities ............................................................................ 205
Trend analysis....................................................................................... 205
Analyzing ISA Server performance using Performance Monitor .......... 206
Analyzing performance of ISA Servers using reports ........................... 209
Analyzing performance of ISA Servers using logs................................ 209
Controlling the total RAM used by ISA Server for caching ................... 210
Chapter 5: Summary............................................................................. 212
VIII Chapter 5: Practice Test ....................................................................... 213
XII Table of Contents IX
Chapter 5: Exercises............................................................................. 222
Lab 5.1 Monitoring the ISA Server .................................................... 222
Lab 5.2 Monitor network and security................................................ 224
Lab 5.3 Security problems ................................................................. 226
Lab 5.4 Analyzing performance......................................................... 228
Lab 5.5 Memory caching ................................................................... 230
Appendix A:
233
I
Chapter 1: Practice Test Answers ........................................................ 233
II
Chapter 2: Practice Test Answers ........................................................ 248
III
Chapter 3: Practice Test Answers ........................................................ 257
IV
Chapter 4: Practice Test Answers ........................................................ 266
V
Chapter 5: Practice Test Answers ........................................................ 275
Index
2 87
Money Back Book Guarantee
291
70-227 Practice Exam Purchase
292
XIV About the Book
About the Book Part of the InsideScoop to TotalRecall IT Certification System Series, this new Self Help and Interactive Exam Study Aid with CD-ROM Practice testing material is now available for candidates preparing to take the Microsoft 70-227 Installing, Configuring, & Administering Microsoft Internet Security and Acceleration Server 2000 Enterprise Edition Certification exam. This book covers in detail information associated with each of the exam topics and includes information found in no other book. Using this book will help readers determine if they are ready to take the Microsoft ISA Server 70-227 Certification exam. Each chapter in this book includes pre- and postassessment questions to assess your comprehension of each topic. This book explains the concepts in a clear and easy-to-understand manner to help you not only pass the exam, but also to apply the knowledge later in real-world situations. Chapter summaries encapsulate the important areas of each chapter in short reviews. The large glossary at the end of the book provides a review of essential exam-related terms and concepts that will prove invaluable if you review them just before taking the exam. Helpful tips and time management techniques will alleviate pre-exam jitters and put you in control. For implementing ISA Server in a production environment, tips on pre-installation, workstation tuning, application tuning, registry hacks, and maintenance techniques are included. Save $20! Special Offer for this book is our exclusive BeachFront Quizzer, Inc. CD-ROM test engine that creates randomized simulated exams drawn from a database of 350+ sample exam questions. Written to mimic the real exam, you also get complete answers and explanations plus a detailed scoring summery showing test results at the end of each practice exam. NOTE: THIS IS BOOK IS GUARANTEED: See details at TotalRecallPress.com
Introduction Internet Security and Acceleration (ISA) Server 2000 is the next generation of Proxy Server, providing secure, fast, and manageable Internet connectivity by integrating an extensible, multilayer enterprise firewall with the Proxy architecture. ISA Server comes in two editions: Standard Edition and Enterprise Edition. The Standard Edition is a standalone server suitable for small to medium networks. For large-scale deployments, server array support, multi-level policy, and computers with more than four processors, you will need to use the Enterprise Edition. According to Microsoft, the 70-227 Certification exam identifies your ability to implement, administer, and troubleshoot information systems that incorporate ISA Server 2000. This exam requires exposure to the ISA Server Enterprise Edition. When you pass this exam, you achieve Microsoft Certified Professional status. You also earn elective credit toward Microsoft Certified Systems Engineer certification. Candidates for this exam should have experience operating in medium to very large computing environments that use the Microsoft Windows 2000 Server operating system. They should have a minimum of one year's experience implementing and administering network operating systems in environments that have between 200 and 26,000+ supported users and are spread across multiple physical locations. This book is organized to follow Microsoft’s published exam objectives for the 70-227 Certification exam. In addition to using this book for exam preparation, you are encouraged to use the enclosed Beachfront Quizzer test modules to constantly assess your study progress.
Michael Yu Chak Tin
XVI Forward
Foreword The world is changing at an incredible pace. It has been many years since computers have entered the mainstream. Now it is not just the government or universities that possess them, most of us have at least one of them, in one form or another. Today, we carry around computers on our wrists or in our pockets that have more power then ENIAC once had. The sheer amount of raw computing power grows at tremendous rates daily. To make these computers work, they must have a program or set of guidelines in which to function. This brings us to Microsoft Windows® 2000 Enterprise Networking. Through many years of experience working with various operating systems, applications and, of course, games, I have found my share of quirks & problems. However, I have also found a lot of potential in them as well. Windows® 2000 Enterprise Networking, in my honest opinion, brings a new face to enterprise networking. Microsoft has done a remarkable job improving the stability and reliability of the Windows® 2000 Operating System line. Windows NT 3.51 and Windows NT 4.0 were powerful in their respective days, but now that we have processors reaching 2300 MHz and better in speed, hard drives revving over 10,000 RPM, and networks running at gigabit speeds, we need the operating system to be as quick and possible. This may sound a lot like a sales pitch, but it isn’t. I am no sales person; I couldn’t sell ice in the desert. I am a tech; I work with this stuff everyday and love it. I love the problems, the solutions, and staying up till the crack of dawn (my wife, however, is not to keen on that one). Ultimately, the decision to use or not use any piece of software is up to you (or at least your IT department). I just hope that you give Windows® 2000 Enterprise Networking its fullest chance. Install it on your desktop and your laptop, try some of the new features (Offline Shares is one of my favorites), and truly put it through its paces. Don’t uninstall it too quickly, like most people do when they first have a problem; there are plenty of resources available to assist you when something doesn’t work.
Patrick Timmons Patrick Timmons is Microsoft Certified Trainer and Microsoft Certified Systems Engineer + Internet. He has been working in the IT industry for approximately 15 years, specializing in network engineering. He is currently the CEO of Integrator Systems Inc., a company based in Ottawa, Ontario, Canada.
How to read this book XVII
How to read this book Styles used in the book: Internet Address HTTP://WWW.INTEGRATORSYSTEMS.CA Command to type CONVERT D: /FS:NTFS Replacement in Commands DRIVE Option to select Clean Install Tips, Notes: Remember:
Don’t run with scissors.
XVIII 70-227 Exam Preparation Guide
70-227 Exam Preparation Guide Installing, Configuring, and Administering Microsoft® Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition. You will find the Microsoft Windows 2000 Exam 70-227 guide located on the Microsoft web site, at the following URL: http://www.microsoft.com/trainingandservices/exams/examasearch.asp?PageID=70-227 Note:
Exam subject matter and the skills being measured are subject to change at any time without prior notice and at Microsoft’s sole discretion.
Information you will find in Microsoft’s document includes the following. Certification Credit Upon successful completion of this exam, you will achieve Microsoft Certified Professional status. This exam also provides elective credit towards Microsoft Certified Systems Engineer status. Exam Audience Exam candidates are those individuals that operate in medium to very large computing environments that use Windows 2000 Server Operating System. Candidates should have a minimum of one year’s experience implementing, administering, and troubleshooting operating systems in a network environment. Skills Needed This certification exam will measure your ability to implement, administer, and troubleshoot information systems that utilize multiple physical between locations with each location having 200+ users and incorporating the Enterprise Edition of Microsoft Internet Security and Acceleration (ISA) Server 2000.
70-227 Exam Preparation Guide XIX
Skills Being Measured This certification exam measures your ability to implement, administer, and troubleshoot information systems that incorporate the Enterprise Edition of Microsoft Internet Security and Acceleration (ISA) Server 2000. Wherever the term "ISA Server" occurs in this prep guide or in the content of the exam, it refers only to ISA Server 2000, Enterprise Edition. It does not refer to ISA Server 2000, Standard Edition. Before taking the exam, you should be proficient in the job skills listed below.
Installing ISA Server 1.
Preconfigure network interfaces.
٭Verify Internet connectivity before installing ISA Server. ٭Verify DNS name resolution. 2.
Install ISA Server. Installation modes include integrated, firewall, and cache.
٭Construct and modify the local address table (LAT). ٭Calculate the size of the cache and configure it. ٭Install an ISA Server computer as a member of an array. 3.
Upgrade a Microsoft Proxy Server 2.0 computer to ISA Server.
٭Back up the Proxy Server 2.0 configuration. 4.
Troubleshoot problems that occur during setup.
Configuring and Troubleshooting ISA Server Services 1.
Configure and troubleshoot outbound Internet access.
2.
Configure ISA Server hosting roles.
٭Configure ISA Server for Web publishing. ٭Configure ISA Server for server proxy. ٭Configure ISA Server for server publishing.
XX 70-227 Exam Preparation Guide
3. Configure H.323 Gatekeeper for audio and video conferencing.
٭Configure gatekeeper rules. Rules include telephone, e-mail, and Internet
Protocol (IP).
٭Configure gatekeeper destinations by using the Add Destination Wizard.
4.
Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections.
٭Set up and verify routing rules for static IP routes in Routing and Remote Access. 5.
Configure and troubleshoot virtual private network (VPN) access.
٭Configure the ISA Server computer as a VPN endpoint without using the
VPN Wizard.
٭Configure the ISA Server computer for VPN pass-through.
6. Configure multiple ISA Server computers for scalability. Configurations include Network Load Balancing (NLB) and Cache Array Routing Protocol (CARP).
Configuring, Managing, and Troubleshooting Policies and Rules 1.
Configure and secure the firewall in accordance with corporate standards.
٭Configure the packet filter rules for different levels of security, including system hardening. 2.
Create and configure access control and bandwidth policies.
٭ ٭ ٭ ٭ 3.
Create and configure site and content rules to restrict Internet access. Create and configure protocol rules to manage Internet access. Create and configure routing rules to restrict Internet access. Create and configure bandwidth rules to control bandwidth usage.
Troubleshoot access problems.
٭Troubleshoot user-based access problems. ٭Troubleshoot packet-based access problems.
70-227 Exam Preparation Guide XXI
4. Create new policy elements. Elements include schedules, bandwidth priorities, destination sets, client address sets, protocol definitions, and content groups. 5. Manage ISA Server arrays in an enterprise.
٭Create an array of proxy servers. ٭Assign an enterprise policy to an array. Deploying, Configuring, and Troubleshooting the Client Computer 1. Plan the deployment of client computers to use ISA Server services. Considerations include client authentication, client operating system, network topology, cost, complexity, and client function. 2. Configure and troubleshoot the client computer for secure network address translation (SecureNAT). 3. Install the Firewall Client software. Considerations include the cost and complexity of deployment.
٭Troubleshoot autodetection. 4. Configure the client computer's Web browser to use ISA Server as an HTTP proxy.
Monitoring, Managing, and Analyzing ISA Server Use 1.
Monitor security and network usage by using logging and alerting.
٭ ٭ ٭ ٭ 2.
Configure intrusion detection. Configure an alert to send an e-mail message to an administrator. Automate alert configuration. Monitor alert status.
Troubleshoot problems with security and network usage.
٭Detect connections by using Netstat.
٭Test the status of external ports by using Telnet or Network Monitor.
XXII 70-227 Exam Preparation Guide
3. Analyze the performance of ISA Server by using reports. Report types include summary, Web usage, application usage, traffic and utilization, and security. 4. Optimize the performance of the ISA Server computer. Considerations include capacity planning, allocation priorities, and trend analysis.
٭Analyze the performance of the ISA Server computer by using Performance
Monitor.
٭Analyze the performance of the ISA Server computer by using reporting and
logging.
٭Control the total RAM used by ISA Server for caching
Installing ISA Server 1
Chapter 1: Installing ISA Server The objective of this chapter is to provide the reader with an understanding of the following: 1. The role of ISA Server in the network. 2. The operating environment of ISA Server. 3. Installation modes and options. 4. System requirements. 5. Proxy Server 2.0 Upgrade. 6. Troubleshooting Q & A.
Getting Ready - Questions 1) 2) 3) 4) 5)
What is a packet filter?
What is the nature of a firewall?
What protocols can an Internet firewall filter?
Does ISA Server support anti-virus functions?
Can ISA Server run on NT Server 4.0?
2 Chapter 1: 70-227 Certification
Getting Ready - Answers 1) 2) 3) 4) 5)
I
A packet filter inspects and filters packets based on pre-defined rules.
A firewall can be software, hardware, or a combination of both.
TCP/IP only.
No, ISA Server does not include anti-virus functions.
No, ISA Server requires Windows 2000 with SP1.
Introduction
ISA Server is a combination of a firewall and Microsoft Proxy Server. With Proxy Server, you can perform network address translation, caching and basic filtering. ISA Server has much stronger capabilities for network protection than the original Proxy Server. It is also tightly integrated with Windows 2000 and Active Directory. If you are familiar with Proxy Server, you will find that ISA Server is very easy to configure. This is because they share the same underlying concepts and theories. A firewall is a hardware/software combination that acts as a point of access for traffic going in and out of an internal network. You can deploy ISA Server as a single bastion host or as part of a perimeter network. You can also use the various filters provided to protect your network.
Installing ISA Server 3
II
Pre-configuring network interfaces
To install ISA Server, you must first ensure that your Internet connectivity is configured properly. This means the router has to work properly, and that TCP/IP must be set up for the servers and clients in your network.
Verifying Internet connectivity A firewall cannot control traffic that does not pass through it. Your ISA Server must have at least two network cards configured. The router is connected to the external interface of the ISA Server. The internal interface is connected to the internal network. If the router does not perform address translation, the external interface must be configured with a valid “true” IP address. Depending on the ISA Server configuration, the internal interface may use a “true” IP address or a private one. One thing for sure: the external interface and the internal interface must be on different subnets.
Verifying DNS name resolution For ease of configuration and for filtering purposes, it is desirable for the Domain Name Service (DNS) to resolve names. Externally you may want your company or Web site name to be registered with InterNIC, the organization that coordinates the domain name registration activities. Internally, you should set up a DNS server that is integrated into the network to resolve internal names. Note that for tight integration with Active Directory, you should use the Active Directory integrated zone type. Pop Quiz 1.1
Pop Quiz 1.1 Questions
1) What functions can ISA Server provide?
2) Which interface of ISA Server should use a “true” IP address?
3) Which interface of ISA Server should use a private IP address?
4) Can ISA Server control traffic that passes through it?
5) Can ISA Server control traffic that does not pass through it?
4 Chapter 1: 70-227 Certification
Pop Quiz 1.1 Answers
1) Firewall, NAT, Caching.
2) External.
3) Internal.
4) Yes.
5) No.
Notes:
Installing ISA Server 5
III
ISA Server installation modes
ISA Server supports three different configuration modes. These modes are: •
Integrated mode.
•
Firewall mode.
•
Cache mode.
Figure 1.1.
Microsoft ISA Server Setup Main Page
6 Chapter 1: 70-227 Certification
You can install ISA Server as a firewall, a caching server, or both. As a firewall, ISA Server focuses on protecting the network and inspecting network traffic. As a caching server, ISA Server focuses on providing cached objects for the internal clients. To enjoy the best of both worlds, you can configure ISA Server to run in Integrated mode, which will provide secure and efficient Internet access and, at the same time, allow for secure processing of external requests to the internal servers.
Figure 1.2.
Microsoft ISA Server Setup
Before proceeding with the installation, you must have your hardware and software prepared. A minimum of a Pentium II 300 MHZ processor is recommended. As a forward caching server that serves less than 250 users / a reverse caching server that handles less than 800 hits per second / a firewall, you need a minimum of
Installing ISA Server 7
128MB RAM, although 256MB or more is always recommended. If the volume of traffic is high, consider a Pentium II 550MHZ or higher processor. Another area of consideration is the storage space. ISA server requires 20MB of space. However, as a caching server, depending on the usage patterns of your users, it is not uncommon for a 10GB drive to fill up in couple days. Your server should be running Windows 2000 Server or Advanced Server with SP1, or the Data Center version. ISAAutorun.exe is the installation command you use to start the installation. The installation options available include ISA Services, which is a REQUIRED component for network traffic access control; Add-In Services, which includes the optional H.323 Gatekeeper for NetMeeting support and the optional Message Screener for SNMP filtering; Administration Tools, which includes the REQUIRED ISA Server Admin Tool and the OPTIONAL H.323 GateKeeper Admin Tool. Note that the Administration Tools can be installed on the same server or on another Windows 2000 computer.
Figure 1.3.
ISA Server Enterprise CD
8 Chapter 1: 70-227 Certification
In addition to selecting the appropriate installation option, you can choose to install ISA Server in Firewall mode, Cache mode, or Integrated mode.
Local Address Table (LAT). The Local Address Table (LAT) contains all the internal IP addresses used by hosts in the internal network. You must configure the LAT if you install ISA Server in Firewall mode or Integrated mode. The LAT determines how the internal computers connect to the Internet. Internal clients will automatically download the LAT updates from the ISA Server. Note that the private IP address ranges specified by Internet Assigned Numbers Authority (IANA) are: 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255
Figure 1.4.
ISA Management
Constructing the LAT To construct the LAT during setup, click Table in the setup dialog box. You may then add either the private IP address ranges or address ranges based on the Windows 2000 routing table. Keep in mind that you should only include addresses on the private network. NEVER add any external addresses.
Installing ISA Server 9
Modifying the LAT From the Internal IP Ranges box, you can add, edit or remove any entry. When you finish reviewing the settings, ISA Setup will complete the rest of the configuration for you.
Figure 1.5.
192.168.0.0 Properties
10 Chapter 1: 70-227 Certification
The cache and configuration You must configure the drive to use caching if you install ISA Server in Cache mode or Integrated mode. For optimal performance, you should have a drive dedicated for this purpose. The drive for caching must have a drive letter assigned! In ISA Server, two types of caching objects are supported: HTTP object and FTP object. An HTTP object is an object that a client retrieves from a Web server by using the HTTP protocol. An FTP object is an object that a client retrieves from an FTP server by using the FTP protocol. What makes ISA Server caching successful? Its RAM and disk caching functions allocate RAM for caching popular objects and other objects on disk. ISA Server places a cached object into the RAM cache first, and then writes multiple objects to the hard disk. The way the cache pre-fetches information automatically determines which objects to keep in its RAM cache based on how recently and how frequently the objects are accessed. To ensure that the most frequently accessed objects are contained in the cache, ISA Server caches actively – it automatically retrieves the most updated version of an object from the Internet.
Installing ISA Server 11
Calculating and Configuring the Size of the cache Initially, the default cache size is set to 100MB if you have 150MB free space available. Additionally, you may want to add 0.5MB for each client that uses the web proxy function. The minimum cache size of 5MB is technically impractical and can be ignored.
Figure 1.6.
Configure Cache
Microsoft recommends 2 –4 GB of cache space for 250 users or less. If you have more than that number of users, 10GB per 2000 users is what you need. Configuring HTTP Caching You may enable HTTP caching by going into the console tree of ISA management and proceed through the following menu items: Cache Configuration -> Configure Cache Policy -> Cache Configuration Properties – HTTP.
12 Chapter 1: 70-227 Certification
There are three types of policy that governs the expiration of cached objects. They are: 1. Frequently: Always keep the objects in the cache current at the expense of lower
network performance.
2. Normal: A balance between Frequently and Less Frequently. 3. Less Frequently: Do not always keep the objects in the cache current. This option is suitable when your network bandwidth is limited. You may specify the time for the cached objects to remain in the cache via Time-To-Live (TTL), a value that governs the life of the objects. You may set the TTL to a specific percentage. A lower percentage specifies to update cached objects more frequently, and vice versa. Configuring FTP Caching You may enable FTP caching by going into the console tree of ISA management and proceed through the following menu items: Cache Configuration -> Configure Cache Policy -> Cache Configuration Properties –> FTP. The underlying mechanism of FTP caching is similar to that of HTTP caching, except that FTP has no provisions for file expiration, as ISA Server cannot determine the appropriate TTL for specific files from the original source. This forces ISA Server to use the same TTL for all the FTP objects. Configuring Active Caching You may enable Active caching by going into the console tree of ISA management and proceed through the following menu items: Cache Configuration -> Configure Cache Policy -> Cache Configuration Properties –> Active caching. Similar to HTTP caching, there are three options for Active caching: Frequently, Normally, and Less Frequently. These values govern, primarily, the frequency of retrieving objects on the web. Configuring Negative Caching You may configure ISA Server to retrieve an object from its cache when the object is not accessible on the Internet. This holds true even when the TTL for the object has expired.
Installing ISA Server 13
You may also cache the response to requests that fail, so that error messages can be returned to the clients much faster. You may enable Negative caching by going into the console tree of ISA management and proceed through the following menu items: Cache Configuration -> Configure cache policy -> Cache configuration Properties –> Advanced. From there, you may select the Cache objects you desire. Configuring Scheduled Download To configure scheduled content downloads, you may go into the console tree of ISA Management and proceed through the following menu items: Cache configuration -> Scheduled Content Download Jobs From there, select New -> Job. This will invoke the New Scheduled Content Download Job Wizard.
Figure 1.7.
ISA Management
14 Chapter 1: 70-227 Certification
Figure 1.8.
New Scheduled Content Download Job Wizard
With ISA Server scheduled download service, you can download Internet content to the ISA Server cache according to a predefined schedule. This service will work for HTTP, but not for FTP objects. This service will not only speed up Web performance, but will also ensure that Web pages are available to users even when Internet connectivity is down. The frequency options available are: • Download the content only once at the specified time. • Download the content every day at the specified time. • Download the content weekly on the specified day at the specified time. The related job parameters include: • TTL. Override an existing TTL with a new TTL. • Links Depth. Define a link depth to limit the depth of the links. Of course, the link depth can be unlimited. You can also enable Content only for URL (not sites to which it links) to prevent downloading
Installing ISA Server 15 • linked content from other Web sites. • Number of Cached Objects. Define a maximum number of cached objects. Valid numbers are 1 to 65535.
Installing the ISA Server as a member of an array Other than setting up the ISA Server as a standalone server, you can also select an array for your computer to join if you have initialized the Enterprise edition. You can do this by modifying the Active Directory schema. We will get into detail regarding array configuration in later chapters. One thing you must keep in mind if you are going to upgrade Proxy Server 2.0 to ISA Server as an array member, you must install the ISA Server Enterprise Edition. According to Microsoft, the first time ISA Server Enterprise Edition is deployed, the environment should be initialized, the ISA Server should be installed, and the environment should be configured using the administration tools included with ISA Server 2000 Enterprise Edition. When we talk about “initializing the environment,” we actually mean running the initialization tool that starts the Active Directory schema update. You must run this initialization tool before you can use either the Enterprise Policy or Array Policy. By updating the schema, ISA Server can be installed as standalone or as part of an array. Without the schema update, ISA Server can only run in standalone mode, which does not take the advantage of CARP and multilevel policies. Pop Quiz 1.2
Pop Quiz 1.2 Questions
1) List the private IP address ranges specified by IANA.
2) What are the valid installation modes?
3) Which installation modes require the use of cache drive?
4) What is the default size of the cache drive?
5) How do you optimize the caching performance?
16 Chapter 1: 70-227 Certification
Pop Quiz 1.2 Answers 1) 10.0.0.0 – 10.255.255.255.
172.16.0.0 – 172.31.255.255.
192.168.0.0 – 192.168.255.255.
2) Integrated mode, Firewall mode, and Cache mode.
3) Integrated mode and Cache mode.
4) 100MB.
5) Use a dedicated cache drive
Notes:
Installing ISA Server 17
IV
Upgrading Proxy 2.0 Server to
ISA Server
Full migration from Proxy Server 2.0 to ISA Server is possible except for cache content and SOCKS rules. ISA Server has its own advanced cache engine and SOCKS application filters that provide improved performance over Proxy Server 2.0.
Backing up the Proxy Server 2.0 configuration Keep in mind that ISA Server can only run on Windows 2000. If your Proxy Server 2.0 is running on an NT server, you should first disable the existing Proxy services and upgrade the server to Windows 2000. Also note that direct upgrade from Proxy Server 1.0, BackOffice Server 4.0, or Small Business Server 4.0 is not supported. The Proxy 2.0 services that need to be disabled are: • Wspsrv. •
Mspadmin.
•
Mailalrt.
•
W3svc.
Since there is not an automatic option to restore to Proxy Server 2.0 once you have started the upgrade to ISA Server, you should perform a full backup of the Proxy Server 2.0 settings prior to upgrading to ISA Server. You should also disconnect the server from the Internet. You do not need to worry about the client settings, because Proxy 2.0’s Winsock Proxy clients are compatible with the ISA Server.
18 Chapter 1: 70-227 Certification
V
Setup problems that may occur
Here are the potential problems you will face during and after the setup process: Problem: After installing ISA Server, you are not able to connect to the Internet
resources.
Resolution: You must first set up the access rules before access is possible.
Problem: After installing ISA Server, everyone can connect to the Internet resources.
Resolution: Make sure that the LAT is configured properly and that no external addresses
are included.
Problem: Error messages are presented during the installation.
Resolution: You should consult the Event logs for further information. It is also
recommended that you remove and reinstall ISA Server again.
Problem: ISA Server fails to join an array.
Resolution: Make sure the domain controller can be contacted. Also make sure that the
array members are using the proper communication configuration.
Problem: After the Proxy Server is upgraded, you are not able to connect to the Internet
resources.
Resolution: Proxy Server 2.0 uses port 80 for connection, while ISA Server uses port
8080. Modify the Web Proxy client settings accordingly.
Installing ISA Server 19
Pop Quiz 1.3
Pop Quiz 1.3 Questions
1) Full migration from Proxy Server 2.0 to ISA Server is possible.
True or false?
2) What must be done for upgrading a Proxy server running on NT4 to ISA Server?
3) How do you upgrade the Proxy 2.0 cache content?
4) Proxy 2.0’s Winsock Proxy clients are compatible with the ISA Server.
True or false?
5) When upgrading the Proxy server to ISA Server, you must upgrade the clients first.
True or false?
6) After installing ISA Servers, how do you enable Internet access?
7) When you configure the LAT, what must be excluded?
8) For ISA Server to join an array, what service must be made available?
20 Chapter 1: 70-227 Certification
Pop Quiz 1.3 Answers
1) True.
2) Upgrade the server to Windows 2000 with SP1.
3) You cannot do this.
4) True.
5) False.
6) Configure the access rules.
7) External addresses.
8) DNS.
Notes:
Installing ISA Server 21
VI
Chapter 1: Summary
In this chapter you have been presented with background information about ISA Server. You learned the various modes available, as well as the installation tasks required. You also learned how to perform an upgrade from Proxy Server. Remember that LAT configuration and cache configuration are the critical elements in the installation process. The exam does not focus on the upgrade process. However, you are expected to know the hardware and software requirements of ISA Server installation and configuration. You should also understand how ISA Server software modifies the Active Directory schema so that the ISA Server array can be configured to function. This is what “initializing “ the enterprise means. The best way to familiarize yourself with ISA Server is to download and install the evaluation copy from Microsoft’s Web site.
22 Chapter 1: 70-227 Certification
VII
Chapter 1: Practice Test
1. You are the network administrator. Your company's network is being upgraded to Windows 2000 from NT4. You wish to replace the Proxy Server with a more powerful system that has the same functions as the Proxy Server. What system should you implement? A. Implement Internet Connection Sharing (ICS). B. Implement Network Address Translation (NAT). C. Implement Active Directory on the Primary Domain Controller. D. Implement Internet Security and Acceleration Server 2000. E. Implement Dynamic Host Configuration Protocol.
2. You are the network administrator. Your company's network runs Windows 2000 in native mode. You found that someone is trying to attack your network from the Internet. You wish to implement a firewall and use ports filtering in order to prevent people from attacking your network. You also wish to perform NAT so that your internal network will not be shown over the Internet. Finally, you wish to increase the accessing speed by setting a cache server. You want to complete all tasks with less administrative effort. What should you do? A. Install ISA Server 2000 in firewall mode, protecting the network and inspecting network traffic. B. Install ISA Server 2000 in cache mode, providing cached objects for the internal clients. C. Install ISA Server 2000 in integrated mode, providing secure and efficient Internet access and at the same time allowing for secure processing of external requests to the internal servers. D. Install ISA Server 2000 in mixed mode, securing Internet access and allowing for secure processing of external requests to the internal servers. E. Install ISA Server 2000 in native mode, preventing external users from accessing your network by filtering specific ports.
Installing ISA Server 23 3. You are the network administrator. Recently, your company installed an ISA Server 2000 on a Windows 2000 Advanced Server computer that is a member server of the domain. The computer has one 10/100 Ethernet adapter installed on it. After installing ISA Server 2000, the computer is unable to access the Internet. You make sure that the Internet connectivity is configured properly. The router is working properly as well. TCP/IP is set up properly for all servers and clients in the network. How do you solve this problem? (Choose all that apply.) A. Unlock Port 8080. B. Unlock Port 21. C. Install another NIC on the computer. D. Replace the current 10/100 Ethernet adapter with a faster one. E. Upgrade the computer to a domain controller. F. Unlock Port 80.
4. You are the network administrator of your company. Your company's network has 2 domain controllers running Windows NT Server 3.51 and 200 client computers running Windows 3.51 Workstation. In addition, there is one DHCP server. Your company has registered the Web site name with InterNIC. All external users are able to locate your Web site by resolving the Fully Qualified Domain Name (FQDN). However, users in your company are unable to resolve internal names. What should you do? (Choose all that apply.) A. Upgrade all the Domain Controllers to Windows 2000 Server. Upgrade all client computers to Windows 2000 Professional. Implement Active Directory. B. Upgrade all Domain Controllers to Windows Professional. Upgrade all client computers to Windows 2000 Server. Implement Active Directory. C. Set up a DNS Server and integrate it to the Active Directory. D. Set up a WINS Server and integrate it to the Active Directory. E. Remove the DHCP Server and install DHCP Relay Agent.
24 Chapter 1: 70-227 Certification 5. You are the network administrator of your company. You are asked to install ISA Server 2000 on two computers. However, neither of them are able to run ISA Server 2000. You realize that they do not meet all the requirements for installing ISA Server 2000. What things should you change in order to install ISA Server 2000? Computer A:
CPU: PII 266.
Memory: 256 MB.
Hard Disk: 10GB free space.
Operating System: Windows 2000 Professional.
Computer B:
CPU: PII 300.
Memory: 96 MB.
Hard Disk: 1GB free space.
Operating System: Windows 2000 Server (with SP2).
A. On Computer A, upgrade the memory to 512. B. On Computer A, upgrade the OS to Windows 2000 Advanced Server. C. On Computer A, upgrade the OS to Windows 2000 Server and install SP 1 or higher. D. On Computer A, upgrade the CPU to PII 300 or higher. E. On Computer B, upgrade the memory to 128 or higher. F. On Computer B, release more hard disk space in order to install ISA Server 2000. G. On Computer, upgrade the OS to Windows Advanced Server.
Installing ISA Server 25 6. You are the network administrator of your company. Internet hackers have attacked your company’s network. You want to prevent unauthenticated users from accessing your network. You also want to prevent people from scanning any port inside your network. You want to complete this task with less administrative effort. What should you do? A. Install ISA Server 2000 in cache mode, caching all information received from external network. B. Install ISA Server 2000 in firewall mode. This runs port filtering to block specific ports. C. Install ISA Server 2000 in integrated mode. This runs both port filtering and caching. D. Install ISA Server 2000 in protection mode. This runs packet filtering to filter specific packets.
7. You are the network administrator of your company. Recently, you installed an ISA Sever 2000 on a computer in integrated mode for packet filtering from the Internet. After installing ISA Server 2000, all internal users are able to connect to the Internet through the ISA Server except Michael. What should you do in order to solve Michael's problem? A. Insert a PTR record with his computer's IP into the DNS primary zone. B. Insert an A record with his computer's name into the DNS primary zone. C. Put his computer's IP into the Local Address Table (LAT). D. Delete his computer's IP from the LAT. E. Type "ipconfig/renew" in a sell window.
26 Chapter 1: 70-227 Certification 8. You are the network administrator of your company. You have been assigned the task of modifying the Local Address Table (LAT). What kind of IP address can you write into the LAT? A. Public (External) Addresses. Example: 203.191.60.48. B. Subnet mask. C. Private (Internal) Addresses. Example: 172.16.0.1. D. CNAME Records. E. MX Records.
9. You are the network administrator of your company. Some clients in your network complain that they hate waiting so long to receive a Web page over the Internet. You want to solve this problem with less administrative effort. What should you do? A. Enable IPX caching. B. Enable SMTP caching. C. Enable H.323 caching. D. Enable FTP caching. E. Enable HTTP caching.
10. Chu is the network administrator of your company. Chu enables negative caching in ISA Server 2000. Why does Chu do that? (Choose all that apply.) A. To cache the response to requests that fail, so that error messages can be returned to the clients much faster. B. To retrieve an object from the Internet in a shorter time. C. To retrieve an object even if the TTL for the object has expired. D. To retrieve an object from its cache when the object is not accessible on the Internet.
Installing ISA Server 27 11. You are the network administrator of your company. You need to update the version of some objects in the cache of ISA Server 2000 frequently. Therefore, you try to configure scheduled download. How do you do that? A. Go into the console tree of ISA management - Cache configuration Scheduled Content Download Jobs and select New - Job. B. Go into the console tree of ISA management - Cache information Scheduled Content Download Jobs and select New - Job. C. Go into the console tree of ISA management - Cache modification Scheduled Content Download Jobs and select New - Job. D. Go into the console tree of ISA management - Cache display - Scheduled Content Download Jobs and select New - Job.
12. You are the network administrator of your company. You want to install the ISA Server as a member of an array. What should you do? A. Modify the RAID-5 array. B. Modify the Active Directory schema. C. Modify the Forest Hierarchy. D. Modify the Domains trust relationship.
28 Chapter 1: 70-227 Certification 13. You are the network administrator of your company. You are planning to upgrade the existing Proxy Server to ISA Server 2000 standard edition on a computer running Windows 2000 Advanced Server. However, the upgrade progress fails. What is the problem? A. The computer doesn't meet the hardware requirements for ISA Server 2000. B. ISA Server 2000 cannot be installed on a Windows 2000 Advanced Server computer. C. ISA Server 2000 can only be installed on domain controllers. D. ISA Server 2000 standard edition cannot be upgraded on a computer running Proxy Server.
14. You are the network administrator of your company. You need to install ISA Server 2000 on a computer running Proxy Server 2.0 under Windows NT Server 4.0. What step or steps should you take to successfully install ISA Server 2000? (Choose all that apply.) A. Enable the existing Proxy services. B. Upgrade the server to Windows 2000. C. Install ISA Server 2000 after upgrading to or installing Windows 2000 Server. D. Format the hard disk, then install Windows 2000 Server. E. Disable the existing Proxy services.
Installing ISA Server 29 15. You are the network administrator of your company. You need to install ISA Server 2000 on a computer running Proxy Server 2.0 under Windows 2000 Server. You realize that you must disable several services in order to install ISA Server 2000. What service or services should you disable in order to install ISA Server 2000? A. Wspsrv. B. Mspadmin. C. Mailalrt. D. W3svc. E. Winnt32. F. NBTstat. G. Convert. H. Net use.
16. You are the network administrator of your company. Your boss tells you that the ISA Server in the network was unable to join an array. What should you do? (Choose all that apply.) A. Ensure the DHCP Server is working properly. B. Ensure the DNS Server is working properly. C. Ensure the domain controller can be contacted. D. Ensure that the array members are using the proper communication configuration. E. Ensure that the WINS server is working properly.
30 Chapter 1: 70-227 Certification 17. You are the network administrator of your company. You want to install ISA Server 2000 on a computer running Windows 2000 Advanced Server. You make sure that it meets all the hardware requirements for running ISA Server 2000. However, the installation is not completed successfully. What should you do? A. Apply for Windows Service Pack 1. B. Apply for ISA Server 2000 Service Pack 1. C. Install DHCP Server before installing ISA Server 2000. D. Install Proxy Server 2.0 before installing ISA Server 2000.
18. You are the network administrator of your company. You tried to install ISA Server 2000 on a computer. During the installation process of ISA Server 2000 some errors occurred. How do you analyze those problems? A. Check the event logs in Event Viewer. B. Check the event logs at c:\%root%\system32\errors.log. C. Restart the computer in Safe mode. D. Restart the computer in Debug mode.
Installing ISA Server 31 19. You are the network administrator of your company. You are planning to upgrade the Proxy Server to ISA Server 2000. You're worried about data loss after installation. What should you do in order to make sure that no data loss will occur with less administrative effort? A. Restart the computer in Active Directory Restore mode. Run ntdsutil command. B. Perform a full backup of the entire Windows operating system. C. Perform a full backup of the system32 directory. D. Perform a full backup of the Proxy Server 2.0 settings and disconnect the server from the Internet.
20. How do you enable Active caching? A. Go into the console tree of ISA management Cache Installation - Install cache policy – Cache Installation Properties – Active caching. B. Go into the console tree of ISA management Cache Relationship – Related cache policy – Cache Relation Properties – Active caching. C. Go into the console tree of ISA management Cache loading - Load cache policy – Cache Loading Properties – Active caching. D. Go into the console tree of ISA management Cache Configuration – Configure cache policy – Cache configuration Properties – Active caching.
32 Chapter 1: 70-227 Certification
21. You have just completed your first installation of ISA Server. You discover that you are not able to connect to Internet resources. What must you do before accessing the Internet is possible? Your Answer: ___________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________
22. You have just completed installing and configuring your first ISA Server. Now everyone can connect to Internet resources. Which configuration is not properly configured? Your Answer: ___________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________
23. During the installation and configuration your first ISA Server, you are presented with several error messages. What would you consult to obtain more information on the errors? Your Answer: ___________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________
Installing ISA Server 33
24. Your newly installed ISA Server fails to join an array. How would you troubleshoot to solve this problem? Your Answer: ___________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________
25. Your new ISA Server has been working properly for the last three weeks. You now upgrade the Proxy Server and then are not able to connect to Internet resources. How would you troubleshoot to solve the problem? Your Answer: ___________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________ ________________________________________________________________________________
34 Chapter 1: 70-227 Certification
VIII Chapter 1: Exercises Lab 1.1
Installing Windows 2000 Server for ISA Server
Goal: In this exercise, you will install Windows 2000 in preparation for ISA Server installation and configuration.
Task
Step-by-Step Procedure
1.
Prepare for the installation program.
1.
2.
Go through the Setup program
2.
Insert the CD into the CD-ROM. Reboot your computer. The computer detects the W2K Server Setup CD. Press any key when your computer detects the CD. The Setup program will start. When prompted, press Enter to set up Windows 2000.
3.
The licensing agreement appears; press F8 to continue.
4.
Choose the partition on which you wish to install Windows 2000 Server. You can install it on a new or unpartitioned space as long as there is enough space.
5.
If the partition you choose is not formatted, you will be promoted to format it.
6.
The Setup program starts installing devices to your computer.
7.
The Regional Settings screen appears, and you have the option of changing the system and user locales, and the keyboard layout.
8.
The next dialog box appears. Type your name and the name of your company.
9.
The Product Key dialog box appears. Type the product key found on the jewel case.
10. The Licensing Mode dialog box appears. Choose either per seat or per server license. 11. The Administrator Name and Password Setting dialog box appears. Give yourself a good name and password.
Installing ISA Server 35
Task
Step-by-Step Procedure 12. The Windows 2000 Server Components dialog box appears. In this dialog box, you can choose the optional components you want to install at this time. It is suggested that you choose to install Network Monitor. 13. If you have a modem installed in the server, the system will auto detect and install it. 14. The Date and Time Settings dialog box appears, and you are prompted for the current date and time as well as the time zone. 15. The Networking Settings dialog box appears. You are prompted for the kind of networking settings to configure. Choosing the Typical setting will install Client for Microsoft Networks, File and Printer Sharing, and TCP/IP with the DHCP client. 16. The Workgroup or Domain dialog box appears. Note: To allow the computer to join an ISA array, a domain must be set up. 17. Now, type a name and a password for joining the domain. These should be the credentials used by the domain admin group. 18. The Installing Components dialog box appears, and the Setup program starts installing all the components you have requested. 19. The Setup program completes successfully. Remove the CD from the CD-ROM and restart the computer.
Notes:
36 Chapter 1: 70-227 Certification
Lab 1.2
Installing ISA Server
Goal: In this exercise, you will install ISA Server 2000.
Task
Step-by-Step Procedure
1.
1.
Insert the ISA Server Setup CD into the CDRom.
2.
The Setup program should run automatically. Otherwise, launch isaautorun.exe manually.
3.
The Setup program asks for the 10 digit CDkey. Without the key you won’t be able to continue the installation.
4.
The Setup program shows you the End User License Agreement. If you accept it, the Setup program will continue.
5.
You will be asked to choose between Typical, Custom, and Full installation.
6.
The Setup program tells you that your computer cannot join an ISA array because it is not in a Windows 2000 domain, and the Setup program needs to update the Active Directory schema in order to join an array. As a result, the ISA Server is installed as a standalone server at this time.
7.
Now, choose between the following server modes: Firewall, Cache, or Integrated mode. For lab purposes, choose Integrated mode.
8.
The Setup program stops the computer’s IIS publishing service (W3SVC). It also tells you that you should reinstall or reconfigure IIS sites and not use either Port 80 or 8080.
9.
The Setup program prompts you to choose the maximum size and the location of the Cache file. Click the “Set” button to confirm the setting.
2.
Prepare to install ISA Server. Launch isaautorun.exe from the setup CD. Go through the installation program. Prepare to answer questions.
Installing ISA Server 37
Task
Step-by-Step Procedure 10. It’s time to set the Local Address Table, which contains all internal client IPs. Type in all redefined clients’ internal IP addresses. 11. Finally, a dialog box appears telling you that the Microsoft Internet Security and Acceleration Server Enterprise Edition setup has been completed successfully.
Notes:
Configuring ISA Server Services 39
Chapter 2: Configuring ISA Server Services The objective of this chapter is to provide the reader with an understanding of the following: 1. The different ISA services. 2. Configuring outbound access. 3. Configuring Web publishing. 4. Configuring server publishing. 5. Configuring Virtual Private Network (VPN). 6. Configuring ISA Network Load Balancing (NLB). 7. Configuring Cache Array Routing Protocol (CARP).
Getting Ready - Questions 1) Which service is the mother of all the other ISA services?
2) What ISA service is needed for deploying NetMeeting?
3) Can a single client computer deploy multiple client types at the same time?
4) What type of client is mainly for enhanced Web browsing performance?
5) What is the critical factor for enhanced Web browsing performance?
40 Chapter 2: 70-227 Certification
Getting Ready - Answers 1) ISA Server Control Service.
2) H.323 Gatekeeper.
3) Yes.
4) Web Proxy client.
5) Cache size.
I
Introduction
This chapter introduces you to simple outbound access and shows you how to configure the various services provided by ISA Server. The services covered in this chapter are mainly related to publishing servers to the outside world so that external clients can access the internal resources securely. On the server side, you will most likely use ISA Management, a Microsoft Management Console (MMC) snap–in user interface, to manage the ISA services. The default view of this snap-in is called the Task Pad View, which includes shortcuts to the most common configuration tasks. For detailed configuration, you may wish to switch to the Advanced View. When you start ISA Server for the first time, you may want to use the Getting Started Wizard, which will guide you through many initial configuration steps. Always remember, you must log on as an Administrator or a Server Operator in order to administer the ISA Server.
Configuring ISA Server Services 41
Figure 2.1
ISA Management
After ISA Server is installed, you may find the following services in the Computer Management’s Services section: 1. ISA Server Control Service. 2.
Firewall Service.
3.
Web Proxy Service.
4.
Scheduled Cache Content Download.
5.
H.323 Gatekeeper.
ISA Server Control Service is the parent process of all the other ISA services. If it is stopped, all the ISA services will be stopped as well.
42 Chapter 2: 70-227 Certification
II
Configuring outbound Internet access
For basic outbound access, in addition to configuring the access policies on the ISA Server, you must configure the client policies before access is available. There are three types of clients available: the Web Proxy client, the SecureNAT client, and the Firewall client. With the Web Proxy client, clients can enjoy higher Web browsing performance through the use of ISA Server caching. For this client type to work, all you need to do is to configure your browser to use Proxy Server. You will want to be sure that the browser will bypass the Proxy Server for local addresses. If you want to enjoy higher Internet performance without configuring any client side software, or if you are running a non-MS operating system, SecureNAT client provides higher HTTP and FTP performance through the use of ISA Server caching. In addition, SecureNAT also provides higher security protection. Internal servers can be published as SecureNAT client as well. However, using SecureNAT client on a publishing server is not recommended. For this client type to work, all you need to do is to configure your browser to use the ISA Server’s IP address as the client’s default gateway. When using the Firewall client, outbound access that involves TCP or UDP is restricted on a user-by-user basis. The earliest OS version that supports the Firewall client is Win95 OSR2. Clients not running Win95 OSR2 or higher are not supported. For the Firewall client type to work, all you need to do is to run setup.exe from the server’s MSPClnt share directory. During the ISA Server installation, all the necessary files are in place. Note that a single client computer can deploy multiple client types at the same time.
Configuring ISA Server Services 43
Figure 2.2
Firewall Client Properties
44 Chapter 2: 70-227 Certification
Troubleshooting outbound Internet access When you are troubleshooting outbound access problems, you will want to check the following: • Access rules settings. •
Connectivity between you and the ISA Server computer.
•
Connectivity via other client types.
Figure 2.3
Configure Access Policy
Configuring ISA Server Services 45
Here are some examples: • If you can no longer connect to the Internet after configuring the Web Proxy client, you need to check and make sure that the ISA Server has the correct access rules in place. • Also, try to ping the ISA Server and make sure that connectivity exists. • If you can no longer connect to the Internet after installing the Firewall client, you need to check that the ISA Server has the correct access rules in place. Also, run Update Now from the Firewall client to ensure that you are using the latest version of the client software. • If, for example, the SecureNAT client works fine while the Firewall client does not, you should focus your efforts on troubleshooting the Firewall client. This type of problem isolation technique will be extremely valuable in the future. Pop Quiz 2.1
Pop Quiz 2.1 Questions
1) What are the three types of clients?
2) Which ISA service, when stopped, will also cause all the ISA services to stop?
3) With Firewall client, outbound access that involves TCP or UDP is restricted on
what basis? 4) What is the minimum OS version that supports the Firewall client? 5) With SecureNAT client, clients can enjoy higher performance on what type of operations?
46 Chapter 2: 70-227 Certification
Pop Quiz 2.1 Answers
1) Web Proxy client, the SecureNAT client, and the Firewall client.
2) ISA Server Control Service.
3) Per user.
4) Win95 OSR2.
5) HTTP, HTTPS, and FTP.
Notes:
Configuring ISA Server Services 47
III
Configuring ISA Server hosting roles
Hosting roles are how an ISA Server publishes internal server services to external users. From a practical point of view, you will not host any Web services on an ISA Server.
Configuring ISA Server for Web publishing Before configuring access to your Web servers, you should first understand the concept of a Perimeter network.
Figure 2.4
Publish Web Servers
48 Chapter 2: 70-227 Certification
A Perimeter network is a small network acting as a neutral network between the Internet and your network. You place the Web servers inside this Perimeter network for public access. Internal computers are almost completely isolated:
Figure 2.5
Web Server Perimeter Network Design
In the above configuration, a Demilitarized Zone (DMZ) is formed. We refer to this type of configuration as a Back-to-Back configuration. The internal network is in an extremely safe position because any intrusion attempt must pass through two firewalls. For Web publishing, you will want to configure the server that sits between the two firewalls. What does Web publishing mean? Web publishing involves publishing the servers to allow external users to access and use certain features available on the servers. Publishing the servers is different from simply routing requests to the servers. The ISA Servers protect the published servers. All requests are inspected and rules can be applied to restrict server access. Basically, the ISA Server will accept requests on behalf of the actual Web servers. This will work only if the Web servers sit behind the ISA Server. Note that you can still publish servers without having a Perimeter network. However, a Perimeter network provides the safest protection you can have for your network. For Web publishing to work, you will need to configure Web publishing rules to specify how requests are redirected. The following protocols are supported: • HTTP. •
HTTPS.
•
FTP.
Keep in mind that these protocols are not available if your ISA Server is running in Firewall mode.
Configuring ISA Server Services 49
When configuring the Web publishing rules, use the ISA Management tool by selecting and expanding your server’s Publishing section and then by clicking Web Publishing Rules. You may then follow the instructions provided by the New Web Publishing Rule Wizard. You can define multiple rules, and you can adjust the rule order in the Advanced View. Rules are applied in a top down manner. Any request not covered by your rules will be discarded.
Figure 2.6
Configure Publishing Policy
Basically, for each rule you need to go through the following steps: 1. Define the rule name. 2.
Define the destination set.
3.
Define the client type.
4.
Specify the action for the rule.
In the configuration process, the external clients are typically represented by the client sets you defined for the client type. The destination is normally your Web server.
50 Chapter 2: 70-227 Certification
After you configure the rules, the next step will be to configure the HTTP or the Secure Socket Layer (SSL) request listener. You can choose to use the same listener for all the destination IP addresses, or you can configure different listeners for different IP addresses. The bottom line is that you must define at least one listener to handle the requests. When you select the same listener configuration for all internal IP addresses, ISA Server will configure publishing for all addresses associated with all the internal and the external network adapters. To define a listener, use the ISA Management feature to go into the server’s Properties, and then select the Incoming Web Requests tab. The IP address you configure should be the IP address of the external network adapter, not the internal network adapter. Also, keep in mind that when you install ISA Server, the incoming Web request properties are configured without an IP address to listen for requests. When you configure the properties for incoming Web requests, specify the IP address that you set for the ISA Server to allow Web publishing. Included in the listener configuration are the following: • The server and the IP address where the request goes. • Whether or not to use server certificate for Web client authentication. • Authentication method, including Basic, Digest, Integrated, and client certificate (for secure channel only). If the Web sites are secured via SSL, you must ensure that the “Enable SSL listeners” check box is checked. You must also make sure that the port numbers are configured properly. By default, SSL uses Port 443. Note that when SSL is deployed, you should also use a server certificate for Web client authentication. To be able to select a certificate, you must first install the certificate onto the ISA Server computer via the Certificate MMC and have the certificate issued to the corresponding Web sites.
Configuring ISA Server Services 51
Some of your internal Web servers may be using non-standard ports to serve requests. In this case you will need to specify the redirection target port by going into the corresponding Web Publishing Rule’s Properties section and defining the ports in the Action tab. If you are publishing a Web server that runs on the same ISA Server, you may want to configure the rule to redirect the request to the non-standard port of the server’s internal interface. This way the Web server and the Web proxy service will not have conflicts over Port 80. In the Web Publishing Rule’s Properties section, you can configure bridging for SSL in the Redirection (Bridging) tab: • Redirect HTTP requests as HTTP requests. •
Redirect HTTP requests as SSL requests.
•
Redirect HTTP requests as FTP requests.
•
Redirect SSL requests as HTTP requests.
•
Redirect SSL requests as SSL requests.
•
Redirect SSL requests as FTP requests.
To obtain maximum security, SSL should always be redirected to SSL. You may also enable the “Require secure channel for published site” option. This option will reject all connection requests that do not use SSL. Additionally, you may check the “Require 128 bit encryption” option. This, however, requires the installation of the Windows 2000 High Encryption Pack that can be obtained via Windows 2000’s Windows Update feature.
52 Chapter 2: 70-227 Certification
Configuring ISA Server for Server Proxy In Proxy Server 2.0, we use the term “Server Proxy” to describe the use of Proxy Server as a middleman between the client and the server. Client requests are directly targeted towards the Proxy Server. The Proxy Server then forwards the request to the server. To the client, the Proxy Server is just like the real server it is accessing. In ISA Server, you can achieve similar results by means of server publishing.
Configuring ISA Server for server publishing In theory, server publishing is similar to Web publishing. However, server publishing is mostly used for non-Web activities, meaning that there will be no HTTP, HTTPS, and FTP operations. Basically, for each rule you need to go through the following steps: 1. Define the rule name. 2.
Define address mapping.
3.
Define protocol setting.
4.
Specify the client type.
To configure the server publishing rules, use the ISA Management tool. Select and expand your server’s Publishing section and then click Server Publishing Rules. You can then follow the instructions provided by the New Server Publishing Rule Wizard. Address mapping refers to the mapping of the internal server to the external ISA interface. This mapping allows the internal server and external server to interact. Note that if packet filtering has been enabled on the ISA Server; make sure that the ports required by the internal server are not blocked.
Configuring ISA Server Services 53
Pop Quiz 2.2
Pop Quiz 2.2 Questions 1) What protocols are supported by Web publishing?
2) What tool do you use to configure the Web publishing rules?
3) What is the minimum number of listener you must define to handle requests?
4) What is the maximum number of listener you can define to handle requests?
5) For the “Require 128 bit encryption” option to work, you need to:
54 Chapter 2: 70-227 Certification
Pop Quiz 2.2 Answers 1) HTTP, HTTPS, and FTP.
2) ISA Management tool.
3) One.
4) Unlimited.
5) Install the Windows 2000 High Encryption Pack.
Notes:
Configuring ISA Server Services 55
IV
Configuring H.323 Gatekeeper
The H.323 Gatekeeper service is required if you are to run NetMeeting or any other applications that use the H.323 protocol, a protocol used primarily for communicating audio and video information with the client software.
Audio and video conferencing H.323 is an International Telecommunication Union (ITU) standard. Every transaction that involves this protocol uses two points, one is the origination and the other is the destination. In the context of ISA Server, the ISA Server itself is the endpoint in the transaction. If you chose full installation when installing ISA Server, the H.323 Gatekeeper service is installed automatically. If the H.323 service is not installed, go into ISA Management, right-click on H.323 Gatekeepers, and choose Add gatekeeper. After Gatekeeper is installed, configure the corresponding filter to allow incoming calls, add the appropriate service location record to the DNS server, and enable call routing. The next step is to configure the H.323 applications to register with the Gatekeeper to ensure correct routing of incoming calls.
56 Chapter 2: 70-227 Certification
Figure 2.7
Filter Properties
According to Microsoft’s TechNet, the H.323 Endpoints typically register with the H.323 Gatekeeper using H.323 Registration, Admission, and Status (H.323 RAS). You can use the H.323 Gatekeeper snap-in to add a static registration to endpoints that do not support H.323 RAS registration. You may also consider the use of aliases. An alias consists of two fields: a type and a name. The type would be E164, H.323-ID, or E-Mail-ID.
Configuring ISA Server Services 57
You must keep the following in mind when deploying Gatekeeper: • H.323 Gatekeeper does not provide any security. • If you are managing ISA Server of H.323 Gatekeeper remotely, you cannot access all of the tools and Help topics unless you have installed the Windows 2000 Administration Tools.
Configuring Gatekeeper rules To configure the Gatekeeper rules, go into ISA Management and click Call routing. To create a phone number rule, right-click Phone number rules, click Add routing rule, and follow the on-screen instructions. To create an IP address rule, right-click IP address rules, and then click Add routing rule and follow the on-screen instructions. To create an e-mail address rule, right-click E-mail address rules, and then click Add routing rule and follow the on-screen instructions. After H.323 Gatekeeper has established which routing rules match, the routing rules are sorted based on the following criteria: • Rules with patterns containing more domain elements have precedence over rules with patterns containing fewer domain elements. • If two rules contain the same pattern, a rule with the matching type Exact has precedence over a rule with the matching type Suffix. • If two rules contain the same pattern and the same matching type, a rule with a lower metric number has precedence over a rule with a higher metric number. After H.323 Gatekeeper creates the sorted list, it processes each one in order.
58 Chapter 2: 70-227 Certification
Gatekeeper Telephone Rules According to Microsoft TechNet, the phone number rules use the following form: Item
Description
Name
Rule name.
Pattern
Pattern of numbers you are trying to match.
Matching
Whether the pattern type must be a string at the beginning of the phone number or an exact match for the entire phone number for the rule to take effect.
Destination The server to which the call request is routed if this rule takes effect. Discard digits
The number of digits removed from the phone number before it is routed to the destination.
Add prefix
The prefix that will be added to the destination.
Metric
The ranking of this rule compared to other rules. The lower the metric number, the more precedence this rule is given.
Status
Either enabled or disabled.
Description What this rule is all about. H.323 Gatekeeper determines which rules match the alias in the call request. A phone number alias can use the numbers 0 through 9, the number sign (#), asterisk (*), and comma (,).
Configuring ISA Server Services 59
Gatekeeper E-mail Rules According to Microsoft TechNet, the IP Address rules use the following form: Item
Description
Name
Rule name.
Pattern
Pattern of the IP address you are trying to match.
Destination The destination to which the call request is routed if this rule takes effect. Metric
Ranking of this rule compared to other rules. The lower the metric number, the more precedence this rule is given.
Status
The rule is either enabled or disabled.
Description What this rule is all about. IP address rules apply only to requests for translation of IP address strings that take the form of a.b.c.d. Gatekeeper Internet Protocol (IP) Rules According to Microsoft TechNet, E-mail address rules take the following form: Item
Description
Name
Rule name.
Pattern
The text pattern you are trying to match.
Matching
Whether the pattern must be a string at the end of the e-mail address or an exact match for the entire e-mail address for the rule to take effect.
Destination The server to which the call request is routed if this rule takes effect. Metric
Ranking of this rule compared to other rules. The lower the metric number, the more precedence this rule is given.
Status
Either enabled or disabled.
Description What this rule is all about. H.323 Gatekeeper attempts to match the domain portion of the e-mail alias with the rules.
60 Chapter 2: 70-227 Certification
Configuring Gatekeeper destinations How a Gatekeeper rule is processed depends entirely on the type of destination specified by the rule. Possible destination types include: • None. Stops rule processing. • Registration Database. Finds the alias in the local registration database. • Gateway/Proxy. Specifies the destination as a particular proxy, or gateway, and lists an IP, DNS, or NetBIOS address. • Internet Locator Service (ILS). Specifies a server running Internet Locator Service for name resolution. • Gatekeeper. Specifies the IP, DNS, or NetBIOS address of a specific
H.323 Gatekeeper.
• Multicast Gatekeeper. Specifies that the destination is a multicast group. • DNS. Use this destination type only for e-mail address queries. • Active Directory. For resolving e-mail address namespace aliases using Windows 2000 Active Directory. • Local Network. Valid only for IP aliases. H.323 Gatekeeper returns the address represented by the alias. You may use the Add Destination Wizard to configure the appropriate destination types for your rules.
Configuring ISA Server Services 61
Pop Quiz 2.3
Pop Quiz 2.3 Questions
1) If you are managing the ISA Server’s H.323 Gatekeeper remotely, how do you access all of the tools and Help topics? 2) How do you add a static registration to endpoints that do not support H.323 RAS registration? 3) A phone number alias can use: 4) How do you configure the appropriate destination types for your rules? 5) Rules with patterns containing more domain elements have precedence over rules with patterns containing fewer domain elements. True or false?
62 Chapter 2: 70-227 Certification
Pop Quiz 2.3 Answers
1) Install the Windows 2000 Administration Tools.
2) Use the H.323 Gatekeeper snap-in.
3) The numbers 0 through 9 and the number sign (#), asterisk (*), and comma (,).
4) Use the Add Destination Wizard.
5) True.
Notes:
Configuring ISA Server Services 63
V
Routing and remote access connections
You may wonder why we need to consider the use of remote access with ISA Server. One obvious reason is that in a situation where your network needs to connect to the Internet via dial up connections, you will want ISA Server to dial for you. Put it this way, you use the dial-up entries to specify how the ISA Server will connect to the Internet.
Setting up dial-up connections To allow ISA Server to make use of a dial-up connection, you must first create a dial-up entry. Every entry must contain the name of the connection. You may optionally configure the user name and password for a user who has permissions to access the dial up connection. First, the connection itself must appear fully configured in My Network Place. Then, go into the console tree of ISA Management, right-click Dial-up entries and then click New. Fill in the necessary information, and, most importantly, select an existing dial-up connection to use. Finally, key in the name of a user authorized to use this network dial up connection. Keep in mind that the first dial-up entry created will be set as the active dial-up entry used for routing rules and for chaining multiple firewalls. As a recommendation for a configuration that has multiple dial-up connections, right-click your dial-up entry and then click Set as active entry so that this connection will always be used as the default.
Troubleshooting dial-up connections Since ISA Server is only using an existing connection rather than creating one of its own, any problem associated with dial-up connections is probably the problem of the dial-up configuration itself. One of the most common errors is Event 12227, meaning that the dial-out connection has failed with the specified phonebook entry. In this case you should manually dial the specified phonebook entry to confirm that the problem is not the Windows 2000 auto-dial facility.
64 Chapter 2: 70-227 Certification
Setting up routing connections With ISA Server, you can create routing rules to determine whether a Web Proxy client request is retrieved directly from the specified destination, is sent to an upstream server, or is redirected to an alternate site. The key point here is that, if you route the request directly to an upstream server and you specify a backup route, you can use a specified dial-up entry for the backup route. ISA Server will use the backup route only when the primary route is down. ISA Server will check the availability of the upstream server periodically, and if the primary route becomes available again, it will switch everything back to the primary route. To configure routing connections, go into the console tree of ISA Management and click Routing. Then go into the applicable routing rule’s Properties – Action tab and enable routing the connections to upstream Proxy Server. Then, in the Backup route select Upstream Proxy Server and then click Settings. Fill in the information, and optionally click Use dial-up entry for backup route if you want your ISA Server to dial out for back up connections. Alternatively, if you want the dial-up connection to be a primary one, click Use dial-up entry for primary route.
Troubleshooting routing connections When using an upstream server, it is very common to experience credential problems. This is because your upstream server may require that the downstream proxy pass authentication. You will want to go into the console tree of ISA Management and click Routing. Then go into the applicable routing rule’s Properties – Action tab, and inspect the settings of the upstream server. From there you will find a Use this account button. If your upstream server is accessible only when the downstream proxy supplies credentials, click the button and type the user name, password, and authentication type. Otherwise, clear the settings here to allow connections without supplying credentials.
Configuring ISA Server Services 65
Configuring remote access service and connections Without ISA Server, you can use Windows 2000's remote access server service to make network services and computers available to your remote clients. This does not mean that the remote access server can no longer run on the ISA Server computer, just that ISA Server itself provides the same type of functions with enhanced security and control features. In fact, both of them can coexist, as the ISA Server can make use of Routing and Remote Access Service (RRAS)’s dial-up entries. Keep in mind though, that ISA Server’s packet filtering functions will replace RRAS packet filtering function. According to Microsoft’s recommendation, you may need to deploy the routing functions of RRAS with ISA in scenarios where specific routing has to be established for ISA Server use. A wizard is provided to help configure connectivity between local area networks with Point-to-Point Tunneling Protocol and Layer 2 Tunneling Protocol. Microsoft also suggests that secure network address translation and dynamic packet filtering functionality be configured only through ISA Server and not through RRAS. The way you configure the RRAS connections is covered in detail in exams 210 and 215. For information regarding the deployment of Layer 2 Tunneling Protocol (L2TP) or Point-to-Point Tunneling Protocol (PPTP), please refer to the Virtual Private Network (VPN) section of this book.
Troubleshooting remote access connections Since there is a chance that ISA Server will rely on RRAS dial entry, any misconfiguration in RRAS can produce trouble. Incorrect phone book entry settings are the most commonly found errors. Invalid credentials and a mismatch in the tunneling protocols on both sides of the connection are all possible causes of errors.
Setting up dial-on-demand connections With dial- on–demand, the ISA Server will only dial out when there is a need. This provides a great saving on connection costs. One way of implementing this kind of interface is via the Local ISA VPN Wizard.
66 Chapter 2: 70-227 Certification
This wizard will set up a local ISA VPN server that can receive connections from a remote ISA VPN server by creating the dial-on-demand interfaces required to receive connections from remote VPN servers. It will also configure the IP packet filters required to protect the connection. Of course, you can also create a demand dial interface without involving ISA. In fact, Microsoft has an article, Q238801, that provides details on demand dial interface configuration. To prevent someone in your network from using the demand dial interface, you may configure demand dial filters. However, if the Network Address Translation feature is in use, the demand dial filters will not work. According to Microsoft, this problem can be resolved by applying the latest service pack.
Troubleshooting dial-on-demand connections Dial-on-demand connections are trouble-free most of the time, except in cases where the demand dial interface is not configured properly. Note that if someone in your network cannot connect to the Internet through this interface while someone else can, it is highly likely to be a permission problem in which some users are not allowed to invoke dial-up calls. According to the Microsoft Knowledge base, when you configure a Windows 2000-based network to use the Routing and Remote Access service as a gateway to the Internet, both the client computer and server programs may be unable to access the Internet on their first attempt. This behavior can occur when you use a modem that has a Routing and Remote Access dial-on-demand interface to access the Internet. The reason is simple: there is a time delay for the modem to establish a link to the resource. This delay may produce a timeout for the client browsers. In this case, you either manually make the connection or configure a greater timeout value in the client application.
Setting up and verifying routing rules Once the connection is configured, you may want to configure the corresponding routing rules. Routing rules are used to determine whether a Web Proxy client request is retrieved directly from the specified destination, is sent to an upstream server, or is redirected to an alternate site. To create a routing rule, go into the console tree of ISA Management, rightclick Routing, and then New - Rule.
Configuring ISA Server Services 67
This is the same place where you can verify the routing rules you have configured. Apart from configuring routing rules, you must also enable IP routing so that ISA Server can perform as a router. You may go into the console tree of ISA Management, click IP Packet Filters – Properties - Enable IP routing. You may optionally enable filtering here as well. When you enable ISA Server packet filtering, all packets on the external interface are dropped unless they are explicitly allowed. When you enable only ISA Server routing, the ISA Server will simply route all traffic without regard to the security policy. Microsoft recommends that if you enable both filtering and routing, you can benefit from the strict policy enforcement at the packet filter level together with routing capabilities for secondary connections which ISA Server previously allowed after examining the primary connection. Generally speaking, it is easy to configure ISA Server to handle static IP routes, as the route elements are not going to change dynamically. To add a static route, you may either use the Route Add command or use the GUI by using Routing and RAS Admin. Pop Quiz 2.4
Pop Quiz 2.4 Questions
1) What does RAS stand for?
2) RAS cannot co-exist with ISA Server. True or false?
3) What is an advantage of using dial-on-demand interface?
4) What kinds of routes are supported in ISA Server?
5) ISA Server’s packet filtering functions cannot replace RRAS packet filtering
function, but compliment it. True or false?
68 Chapter 2: 70-227 Certification
Pop Quiz 2.4 Answers
1) Remote Access Service.
2) False.
3) Cost savings.
4) Dynamic and static.
5) False.
Notes:
Configuring ISA Server Services 69
VI
Virtual Private Network (VPN)
With a VPN, you can connect your local network with remote users or remote networks through Internet links. All traffic is encrypted before being sent, making VPN extremely secure. You can use ISA Server to set up and secure VPN connections for remote users and remote networks. * Sometimes we refer to a VPN connection as tunneling.
Configuring Virtual Private Network (VPN) access Client computers can establish a VPN connection to your network by configuring the ISA Server computer to accept VPN client connections. On the other hand, to allow computers in two networks to communicate with each other over the Internet, both sides must have an ISA Server configured. One of them will act as the local VPN server and the other one as the remote VPN server. You must then configure two separate VPN connections, one at each endpoint of the VPN tunnel. The correct order would be to configure the local VPN first and the remote VPN next
70 Chapter 2: 70-227 Certification
Using the VPN Wizard You may use the VPN Wizard to create VPNs on the ISA Server. The wizard can be invoked from your server’s Network Configuration section in the ISA Management’s console tree.
Figure 2.8
ISA VPN Server Wizard
To set up a local VPN server on an ISA Server computer, go into the ISA Management console tree select your ISA Server and choose Network Configuration - Setup virtual private network (VPN) (Local).
Configuring ISA Server Services 71
Figure 2.9
Network Configuration
The VPN Wizard will create the dial-on-demand interfaces that are required to receive connections from a remote network. It will also configure the IP packet filters for allowing and protecting the incoming VPN connections. When you configure another ISA Server computer to connect to a local ISA Server, you will have to use the VPN configuration settings file that has a .vpc extension. Again, the wizard creates this file automatically. To create and configure a remote VPN server, go to the ISA Management console tree select your ISA Server and choose Network Configuration - Setup virtual private network (VPN) (Remote). You will use the Setup Virtual Private Network taskpad. This will require you to have the .vpc file and the password handy.
72 Chapter 2: 70-227 Certification
Figure 2.10 Remote ISA VPN Wizard To allow remote clients to connect to your VPN service, go to the ISA Management console tree select your ISA Server and choose Network Configuration - Setup clients virtual private network (VPN). You will launch the ISA VPN Server Wizard and use the Setup Clients VPN taskpad. This wizard will set up RRAS to function as a VPN server, configure RRAS for authentication and encryption, and open the required ports on the ISA Server for clients to connect.
Configuring VPN on the ISA Server without using the VPN Wizard It is recommended that you use the wizard for configuring VPN on the ISA Server computer. Manual configuration without the wizard can be unnecessarily complicated. In fact, the exam does not focus on the manual configuration process.
Configuring ISA Server Services 73
In general, the steps involved in the manual configuration process of a local VPN server are: 5. Connections identification. 6. Protocol selection. 7. Communication method specification. 8. Remote addresses definition. 9. Local addresses definition. 10. Configuration file creation. During the configuration, you will need to determine the VPN protocol to use. The choices you have are: • Use L2TP over IPSec, if available. Otherwise use PPTP. If you are unsure whether or not IPSec is supported on both sides, choose this option. IPSec is the mainstream standard for IP Security, and is considered a MUST have if security in an IP network is critical. • Use L2TP over IPSec. Use this connection type whenever possible; it is the most secure VPN protocol you can use. • Use PPTP. If IPSec is not supported, you will have to stick with this option. One important decision you must make is to determine if both sides are allowed to initiate the communication. On the Two-way Communication page, you may select that Both the local and the remote ISA VPN can initiate communication. If you want to allow this option just check the box that applies. You will need to specify the IP addresses that are allowed in the VPN communication process. You need to enter the range of the IP addresses that the local computers can use to gain access to via the Remote Virtual Private Network (VPN) Network page. You determine the IP address of the local computers that the remote ISA VPN computer will connect to via the Local Virtual Private Network (VPN) Network page. Once you have the .vpc configuration file created, it is a simple task to configure the remote VPN computer. In fact, the remote VPN server will simply take this configuration as input for its own configuration.
74 Chapter 2: 70-227 Certification
Troubleshooting Virtual Private Network (VPN) access The typical problem found in a VPN setup is the mismatch or misconfiguration of VPN protocols between both parties. Before determining the protocol to use, make sure that both sides are capable of deploying the same protocol. Another problem found is that the IP addresses of the computers being used are not included in the configuration. Computers with IP addresses that are not included in the configuration will not be able to participate in the VPN communication. Assuming you have the VPN configuration done properly, the next thing you should check is the WAN connectivity. Is RRAS functioning? Is routing configured properly? Try turning off the encryption and see if the computers on both ends can communicate. This will help you identify the true source of problem.
Setting up and troubleshooting connections for VPN Successful VPN configuration also requires the proper configuration of RRAS to provide the mechanism for accepting or initiating connections. There is detailed information on this topic in Section VI of this chapter and in the Implementing a Windows 2000 Network Infrastructure exam.
Configuring ISA Server Services 75
Pop Quiz 2.5
Pop Quiz 2.5 Questions
1) What tool do you use for creating VPNs on the ISA Server?
2) What VPN protocols can be deployed by ISA?
3) What ISA VPN protocol is considered to be the most secure?
4) What is the file extension of the VPN configuration file?
5) Which VPN server should you set up first – Local or Remote?
76 Chapter 2: 70-227 Certification
Pop Quiz 2.5 Answers
1) VPN Wizard.
2) L2TP over IPSec and PPTP.
3) L2TP over IPSec.
4) .Vpc.
5) Local.
Notes:
Configuring ISA Server Services 77
VII
Configuring multiple ISA Server scalability
ISA Server is scalable. This does not mean simply adding CPUs to the same server. It means joining the processing power of multiple ISA Server computers. This kind of “co operation” can exist in two forms: Network Load Balancing (NLB) and Cache Array Routing Protocol (CARP). Before getting into details on these two topics, you want to keep in mind that for any sort of scalability features to work, the network connections among the servers must be consistent and fast (especially for NLB). Also, the failure of any one of the servers will not bring down the entire operation - it will just slow down the performance.
Configuring Network Load Balancing (NLB) NLB stands for Network Load Balancing. It is a feature only available with Windows 2000 Advanced Server. When you deploy ISA Server, fault tolerance can be achieved when you combine two or more ISA Server computers into a single cluster. NLB can provide the reliability and performance that mission-critical servers need. This is how NLB works with ISA Server: The cluster that represents the individual ISA Servers has a single IP address for handling incoming client requests. It then distributes the requests across the hosts so that both load sharing and emergency fall back can be achieved, as long as the default gateway for the SecureNAT clients are configured to the cluster's dedicated IP address. To set up the cluster, you can use the Application Center New Cluster Wizard. If the default settings are not sufficient, you can modify them after creating the cluster with the Application Center user interface. According to Microsoft TechNet, “To create a cluster in Microsoft Application Center 2000 (Application Center), first you must create a cluster on one server and then, to expand the cluster, add subsequent servers individually. To create a cluster on one server, use the New Cluster Wizard. To add servers to a cluster or to join an existing cluster, use the Add Cluster Member Wizard. Before you can start either wizard, you must establish a connection with the server by using appropriate administrative credentials. Since all cluster members are synchronized with the cluster controller, you should ensure that all content and configuration exist on the controller before adding members.
78 Chapter 2: 70-227 Certification
Unpredictable behavior might result if content or configuration of members is different from the controller.” More information on this topic can be found in the documentation that comes with the Windows 2000 Advanced Server. To deploy NLB with ISA Server, all ISA Servers that join the cluster must be running Windows 2000 Advanced Server, and. they must use TCP/IP as the networking protocol. Also, they must all be installed in the same mode. On the internal network adapter on each ISA Server computer, configure the Network Load Balancing properties by setting the Primary IP address to the IP address of the Network Load Balancing cluster. All hosts in the cluster must point to this cluster IP address. You will then want to assign a priority to each machine in the cluster. The priority settings must be unique within the cluster. The Dedicated IP address must be the unique IP address of the ISA Server computer's internal network adapter, as this IP address is for individually addressing each host in the cluster. Usually this is the original IP address assigned to the host before you selected an IP address for the NLB configuration. Every single network adapter’s TCP/IP stack must be configured with both the dedicated and the cluster address, with the dedicated address being ordered first. If your server has more than one network adapter, the one with the dedicated address must have a lower metric value, so that it can have a higher priority than the one with the cluster address.
Configuring Cache Array Routing Protocol (CARP) CARP stands for Cache Array Routing Protocol. It is a technology that uses hash-based routing to determine the best path through an array to resolve a request. This means that you deploy CARP to provide scaling and efficiency when there are multiple ISA Server computers configured to be arrayed as a single logical cache. The key advantage of CARP compared to the other technologies is that there is no query messaging between the ISA Servers, thus avoiding the heavy query congestion caused by the increasing number of servers. It also prevents the duplication of contents in the array.
Configuring ISA Server Services 79
By default, CARP is enabled only for outgoing Web requests on all the ISA Servers in an array. CARP for incoming Web requests must be enabled manually. If you want to enable CARP manually, go into the console tree of ISA Management, right-click on the array, and then click Properties - Incoming Web requests (or Outgoing Web requests). When a member server in the array determines that the requested object is not in its cache, it sends the request to another member server using the destination server's intraarray IP address. Generally you do not need to manually modify this address configuration. If you want to modify the address manually, go into the console tree of ISA Management and click Server. In the details pane, right-click the ISA Server and then click Properties - Array Membership. If your ISA Servers are not of equal configuration and you want a particular server to handle more of the load, you can configure the member servers load factor. The load factor determines how to divide the load among the array members. To configure the load factor, go into the console tree of ISA Management, click Computers, in the details pane, right-click the ISA Server computer, and then click Properties - Array Membership. You can then enter the value in the Load Factor field.
80 Chapter 2: 70-227 Certification
VIII Chapter 2: Summary In this chapter you have learned to configure the various ISA services. Keep in mind that ISA Management is the primary MMC interface for configuring your ISA Server. By publishing your servers, public access to the internal servers can be made available securely. Web publishing focuses on the different Web server activities, while server publishing focuses on the server activities other than HTTP, HTTPS, and FTP. ISA Server allows you to set up and secure a VPN by integrating with the VPN functionality of Windows 2000 Server. A VPN encompasses links across the Internet. It enables you to send data between two computers across the net in a manner that emulates the properties of a point-to-point private link. You can configure the ISA Server as a VPN server to support secure gateway-to-gateway communication or client-to-gateway remote access communication. You can set up ISA Server computers as standalone servers or group them into arrays. An array includes one or more ISA Server computers that share the same configuration. With array configuration, CARP can be deployed for optimal performance. For fault tolerance and load sharing, you can deploy Windows 2000 Advanced Server’s NLB functionality.
Configuring ISA Server Services 81
IX
Chapter 2: Practice Test
1. You are the network administrator of your company. You wish to manage the ISA Server on the server side. What should you do? A. Run ISA Configuration MMC. B. Run ISA Management MMC. C. Run ISA Installation MMC. D. Run ISA Implementation MMC.
2. You are the network administrator of your company. You do not know how to use ISA Server 2000, and you are also starting ISA Server for the first time. You wish to find some tips so that you can master ISA Server as soon as possible. Which tool should you run in order to learn ISA Server 2000? A. ISA Configuration Wizard. B. ISA Management Wizard. C. ISA Installation Wizard. D. ISA Getting Started Wizard.
3. After installing ISA Server 2000, you may find the following services in the computer management's services section except which one of these (which one is a non-service)? A. Cache service. B. Firewall service. C. Web proxy service. D. H. 323 Gatekeeper. E. Scheduled cache content download. F. ISA Server control service.
82 Chapter 2: 70-227 Certification 4. You are the network administrator of your company. You set the configuration of basic outbound access for all clients in the network and ensure that all settings are correct. However, some of the clients cannot send data to the Internet. What should you do? A. Reset the configuration. B. Set up a NAT server. C. Set up a DHCP relay agent. D. Check the access polices on the client side.
5. There are three types of clients available in ISA Server 2000. What are they? (Choose all that apply.) A. SecureNAT client. B. Firewall client. C. Network client. D. Web Proxy client. E. VPN client. F. ISA client.
6. You are the network administrator of your company. Clients complain that the Web browsing performance is not good enough. You wish to solve this problem with less administrative effort. What should you do? A. Install ISA Server 2000 as a SecureNAT client. B. Install ISA Server 2000 as a Firewall client. C. Install ISA Server 2000 as a high performance client. D. Install ISA Server 2000 as a Web browsing client. E. Install ISA Server 2000 as a Web Proxy client.
Configuring ISA Server Services 83 7. You are the network administrator of your company. You installed the ISA Server 2000 as a firewall client. Recently, you found that outbound access is not allowed. What is the problem? (Choose all that apply.) A. IPX packets are restricted. B. UDP packets are restricted. C. TCP packets are restricted. D. HTTP packets are restricted. E. FTP packets are restricted.
8. You are the network administrator of your company. You are troubleshooting outbound access problems; what should you check? A. Internet connection. B. Access rules settings. C. DNS settings. D. Connectivity between you and the ISA Server computer. E. Connectivity via other client types.
9. A single client computer can deploy multiple client types at the same time. A. True. B. False.
84 Chapter 2: 70-227 Certification 10. You are the network administrator of your company. Michael installed the ISA Server 2000 and set it as a Web Proxy client. He can no longer connect to the Internet after configuring the Web Proxy client. You are asked to help him. What should you do? (Choose all that apply.) A. Make sure that ISA Server has correct access rules in place. B. Ping the ISA Server to make sure that connectivity exists. C. Run tracert against the DHCP server to make sure that connectivity exists. D. Ping the DHCP server to make sure that connectivity exists.
11. You are the network administrator of your company. Richard installed the ISA Server and set it as a Firewall client. He can no longer connect to the Internet after configuring the Firewall client. You are asked to help him. What should you do? (Choose all that apply.) A. Tracert the DNS server to make sure that connectivity exists. B. Make sure that ISA Server has correct access rules in place. C. Ping the ISA Server to make sure that connectivity exists. D. Run Upgrade Now from the Firewall client to ensure that you are using the latest version of the client software.
12. What is a Perimeter network? A. A big network acting as a neutral network between the Internet and your network. B. A big network acting as a firewall between the Internet and your network. C. A small network acting as a neutral network between the Internet and your network. D. A small network acting as a firewall between the Internet and your network.
Configuring ISA Server Services 85 13. Michael is the network administrator. He implements Web publishing that involves publishing the servers. Why does he want to do that? A. To let external users access the servers. B. To protect the internal network by ISA Servers. C. To protect published servers by ISA Servers. D. To restrict external users accessing the published servers.
14. What protocols are for Web publishing rules? A. NTFS. B. FTP. C. H.323. D. HTTPS. E. HTTP.
15. You are the network administrator of your company. Your company's Web site is secured via SSL. You have found that clients are unable to access the Web site anymore after using SSL. What should you do? A. Make sure that the Enable SSL listeners check box is checked. B. Make sure that the Disable SSL listeners check box is unchecked. C. Make sure Port 443 is opened. D. Make sure Port 443 is blocked. E. Make sure that you have installed the certificate onto the ISA Server computer via the Certificate MMC, and have the certificate issued to the corresponding Web sites.
86 Chapter 2: 70-227 Certification 16. You are the network administrator of your computer. You are publishing a Web server that runs on the same ISA Server. You configure the rule to redirect the request to a non-standard port of the server's internal interface. You want to retain the maximum security. What should you do? A. Retain Kerberos V5 during redirection. B. Retain SSL during the redirection. C. Enable the Require secure channel for published site option. D. Check the Require 128 bit encryption option. E. Check the MS-CHAP V2 option.
17. You are the network administrator of your company. You installed NetMeeting for some of the clients on the network. These clients explain that they are unable to use NetMeeting to interact with other people. You make sure that this is not a hardware problem. What should you do? A. Check to see if H.323 gatekeeper is running. B. Check to see if H.324 gatekeeper is running. C. Check to see if M.323 gatekeeper is running. D. Configure the ISA Server as a Web Proxy Server client. E. Configure the ISA Server as a Firewall client.
Configuring ISA Server Services 87 18. You are the network administrator of your company. You wish to implement an encrypted tunnel between you and your remote clients. You also want to reduce the total cost of ownership (TCO) as much as possible. Finally, you wish to complete the task with less administrative effort. What should you do? A. Implement Active Directory to centralize all resources. B. Implement ISA Server 2000 as a Firewall client. C. Implement Virtual Private Network (VPN) and use L2TP. D. Implement ISA Server 2000 as a Web Proxy Server client.
19. You are the network administrator of your company. You are setting up a Virtual Private Network (VPN) server. You need to determine which VPN protocol you should use. You make sure that IPsec is supported on both server and client sides. Which option should you select? A. Use L2TP over IPsec, if available. Otherwise use PPTP. B. Use PPTP over IPsec, if available. Otherwise use L2TP. C. Use PPTP over IPsec. D. Use L2TP over IPsec.
20. Chu is the network administrator of your company. He combines three ISA Server computers that are running Windows 2000 Advanced Server into a single cluster. Why does he want to do that? A. He wants to achieve fault tolerance. B. He wants to implement Network Load Balancing (NLB). C. He wants to provide the reliability that mission critical servers need. D. He wants to provide the performance that mission critical servers need.
88 Chapter 2: 70-227 Certification
X
Chapter 2: Exercises Lab 2.1
Windows 2000 ISA Server Internet Access
Goal: In this exercise you will configure the ISA Server for accessing the Internet.
Task
Step-by-Step Procedure
1.
1. Go into the ISA Management console tree.
Disable IP Packet Filters.
2. Go to Access Policy. 3. Right-click the IP Packet Filters. Choose Properties. 4. Cancel the Enable IP Packet Filters check box.
Configuring ISA Server Services 89
Notes:
90 Chapter 2: 70-227 Certification
Lab 2.2
Configuring ISA Server Web publishing
Goal: In this exercise you will configure the ISA Server for Web publishing.
Step-by-Step Procedure 5.
Configure the ISA Server for Web publishing
6. Go into the ISA Management console tree. 7. Select Publishing, Right-click Web publishing rule and choose New, then Rule. The Web Publishing Rule Wizard appears. 8. Select the destination set, client’s type, rule actions, etc. Follow the instruction and finish the Wizard setting.
Configuring ISA Server Services 91
Notes:
92 Chapter 2: 70-227 Certification
Lab 2.3
Configuring ISA Server for Server Proxy
Goal: In this exercise you will configure the ISA Server for a Proxy Server.
Step-by-Step Procedure 1. Configure the ISA Server for Server Proxy
1.
Create allow rules to accept clients’ requests.
2.
Configure the size and location of the ISA Server cache file. The default size is 100MB.
3.
Configure client computers to use the ISA Server’s IP address as their default gateway.
Configuring ISA Server Services 93
Notes:
94 Chapter 2: 70-227 Certification
Lab 2.4
Virtual Private Networks (VPN)
Goal: To set up, configure, and troubleshoot a VPN.
Task 1.
Run the Local VPN Configuration wizard.
Step-by-Step Procedure 1. Right-click the network configuration. 2. Choose Set up Local ISA VPN Server. 3. The wizard appears. It tells you that RRAS must be running before you can set up an ISA VPN Server. 4. You are asked to describe the local and remote network. Each name must be less then 10 characters. 5. Choose a VPN protocol. For maximum security, choose L2TP over IPSec. 6. The two-way communication page appears. It asks if you want to implement a two-way communication: both clients and server can make a call. Enable it by checking the check box. 7. The remote VPN Network pages appear. It asks you which remote clients have permission to access your network. Choose the remote clients’ IP addresses you want to let access your network. Click Add to add them. 8. The local VPN Network page appears. You need to tell the wizard what ranges of IPs are in your network. 9. The ISA Server VPN Configuration File page appears. Type the name with which to save the VPN configuration file. Also type the name and password to encrypt the .vpc configuration file. 10. The wizard concludes the task and finishes the setting.
Configuring ISA Server Services 95
Task
Step-by-Step Procedure
2.
1.
Copy the .vpc file you just created to a remote site.
2.
Right-click the network configuration, choose Set up a Remote ISA VPN Server. The Remote ISA VPN Wizard appears.
3.
Enter the path of the .vpc file and the password that will be used to decrypt the file.
4.
The wizard concludes the tasks and finishes the setting.
Run the Remote VPN Configuration wizard.
Notes:
96 Chapter 2: 70-227 Certification
Lab 2.5
Multiple ISA Server scalability
Goal: To configure Network Load Balancing (NLB) and Cache Array Routing Protocols (CARP).
Task
Step-by-Step Procedure
1.
1.
Establish a connection with the server by using appropriate administrative credentials. All cluster members are synchronized with the cluster controller. You should make sure that all content and configuration exist on the controller before adding members.
2.
Use the Application Center New Cluster Wizard. Follow the instruction to finish the setup.
3.
In the console tree of ISA Management, rightclick Array and then click Properties.
4.
On the Incoming Web requests tab, or on the Outgoing Web requests tab, select Resolve requests within array before routing.
2.
Configure Network Load Balancing (NLB) Enable Cache Array Routing Protocols (CARP).
Notes:
Policies and Rules 99
Chapter 3: Policies and Rules The objective of this chapter is to provide the reader with an understanding of the following: 1. Configuring security templates. 2. Configuring the firewall. 3. Configuring policies. 4. Configuring policy elements. 5. Configuring rules. 6. Configuring array. 7. Enterprise administration. 8. Remote array management.
Getting Ready – Questions 1) What are the security levels available in the ISA Server Security Configuration Wizard? 2) What packet filter is used to define which packets the external network adapter accepts? 3) What packet filter is used to define the exceptions to the Allow filters? 4) What tool do you use to create a new IP packet filter? 5) What filter forwards HTTP requests from Firewall clients and SecureNAT clients to the Web Proxy service?
100 Chapter 3: 70-227 Certification
Getting Ready - Answers 1) Secure, Limited Services, and Dedicated.
2) Allow Filter.
3) Block Filter.
4) ISA Management.
5) HTTP Redirect Filter.
I
Introduction
You can use the ISA Server Security Configuration Wizard to apply system security settings to the ISA Server. In fact, ISA Server uses Windows 2000 security templates to configure the operating system for security. The security levels available in the ISA Server Security Configuration Wizard include Secure, Limited Services, and Dedicated.
Policies and Rules 101
II
Corporate standard policies and rules
Security is a business issue. Failure to maintain security can lead the business to a fatal situation. The implementation of security features requires commitment and support from top management. Basically, a corporation will have its own set of security standards defined and expressed as policies. The staff is expected to know and accept the policies. To enforce the policies, rules are built. In ISA Server, the terms Policy and Rule are used extensively. A policy may contain multiple rules. Through these rules the policy is enforced. According to Microsoft, the ISA Server has the ability to define and enforce Internet usage policies for an organization. Your company has a usage policy statement outlined in an employee handbook or guideline, defining what uses and users are allowed, restricted, or prohibited. ISA Server ensures that employees and external users comply with these policies by inspecting all incoming and outgoing requests and applying access rules.
Configuring security templates There are several security levels available in the ISA Server Security Configuration Wizard. Use the Secure level if your ISA Server is also running other services like Web and database. Use the Limited Services level if the ISA Server is functioning as a combined firewall or a caching server. Use the Dedicated level when your ISA Server is functioning as a dedicated firewall and nothing else. Note that if you want to run the ISA Server Security Configuration Wizard, you must ensure that the systemroot\security\templates folder contains the required template: Security level
For standalone server
For domain controller
Secure
Basicsv.inf
Basicdc.inf
Limited Services
Securews.inf
Securedc.inf
Dedicated
Hisecws.inf
Hisecdc.inf
If any of the required templates are missing, you can copy them, manually from the Windows 2000 Server CD.
102 Chapter 3: 70-227 Certification
Configuring the firewall To configure the firewall functionality of ISA Server, you will need to configure the various packet filters. Packet filters rely on IP packet header information including the Source IP address and port, the Destination IP address and port, and the IP protocol information to control which packets will be accepted by the ISA Server external network interface. You do not need to worry about the outgoing filters. When you create the packet filter for handling the incoming packets, ISA Server dynamically creates rules that allow outgoing packets to return to the IP address and port of the original packet.
Figure 3.1
ISA Management
Policies and Rules 103
Figure 3.2
ICMP Ping response (in) Properties
There are two types of packet filters available. The Allow filters are used to define which packets the external network adapter accepts. The Block filters are used to define the exceptions to the Allow filters. When there is a conflict in the settings between these two types of filters, the Block filters determine the effective permissions.
104 Chapter 3: 70-227 Certification
Figure 3.3
IP Packet Filter Wizard
For outgoing traffic handled by the Firewall service or the Web Proxy service, ports are opened automatically and dynamically. This means that it is meaningless to create filters to filter this type of traffic, as you really cannot predict which port is going to be used next. To enable packet filtering and IP routing, go into the console tree of ISA Management, and access the server’s Access Policies - IP Packet Filters – Properties – General section. Make sure that the Enable packet filtering and Enable IP routing check boxes are checked. To create a new IP packet filter, go into the console tree of ISA Management, access the server’s Access Policies - IP Packet Filters, and then in the details pane click Create packet filter to invoke the New IP Packet Filter wizard.
Policies and Rules 105
Figure 3.4
New IP Packet Filter Wizard
The filter modes available are Allow packet transmission and Block packet transmission; the filter types available are Custom and Predefined. There are several predefined filters included with the ISA Server. To give yourself a head start, you may want to first go with those predefined filter types. If you have specific security requirements, you may have to configure one or more custom filters. Custom filters support a broad range of protocols. In addition to ICMP, TCP, UDP, and Any, you can use a protocol number to configure custom protocol support. You can also configure the direction of filtering: Inbound, Outbound, or Both. Note that filtering in both directions may not be necessary, and it is really CPU-intensive to do so. Regarding the local port settings, you can apply any of your rules to all the ports or only to the dynamic ports (any port in the range 1025 to 5000). You can also specify a fixed port with any valid port number.
106 Chapter 3: 70-227 Certification
A remote port is a port on the remote end that communicates with your ISA Server computer. This option is available only when you are using TCP and UDP protocols. Again, you can choose to apply the rule to all remote ports, or only to particular fixed ports. There are some settings specifically for the Internet Control Message Protocol (ICMP). A type indicates the type of ICMP packet. For example, the Echo Reply is of ICMP type 0. Code identifies the messages generated by the ICMP protocol. IP packet filters make forwarding decisions solely based on the header of each IP packet, meaning it may not be secure enough. For additional security or for inspecting complicated protocols like FTP and SMTP, you should consider the use of application filters. You may use application filters as long as you install your ISA Server in Firewall mode or in Integrated mode. Application filters examine the entire transactions between the client and the server. Protocol-specific and system-specific tasks including authentication and anti-virus can be performed accordingly. The application filters available are: • DNS Intrusion Detection filter. •
FTP Access filter.
•
H.323 filter.
•
HTTP Redirector filter.
•
POP Intrusion Detection filter.
•
RPC filter.
•
SMTP filter.
•
SOCKS V4 filter.
•
Streaming Media filter.
Policies and Rules 107
Figure 3.5
ISA Management
You can enable or disable any of these application filters by going into the console tree of ISA Management and selecting the server’s Extensions - Application Filters section. One thing worth your attention is the streaming media filter. It supports the following types of streaming media format: • Microsoft Windows Media MMS allows Windows Media Player client access and server publishing. • Progressive Networks protocol PNM allows RealPlayer client access and server publishing. • Real Time Streaming Protocol RTSP allows RealPlayer G2 and QuickTime 4 client access and server publishing. There is an option for governing streaming media. Known as live stream splitting, this option enables the Streaming Media filter to obtain the media stream from the Internet, and then make it available on a local WMT server for access by clients.
108 Chapter 3: 70-227 Certification
This will greatly improve the overall performance. However, to use this function, you must install Windows Media Services on the ISA Server computer. Another important feature of application filters is the HTTP Redirector filter. It forwards HTTP requests from Firewall clients and SecureNAT clients to the Web Proxy service, so that HTTP requests are cached even if users do not configure their Web browser to use Web Proxy. You may configure the filter to redirect requests to the Web Proxy service, send requests to a specified Web server so that the requested objects are not cached, or discard HTTP requests to force all clients that use the HTTP protocol to be configured as Web Proxy clients.
Securing the firewall The security of your ISA Server can be enhanced by configuring packet filtering options. The options available are: • Configure intrusion detection. – This detects any attack attempt. • Configure PPTP through the ISA Firewall. Allows client computers to establish PPTP connections. • Enable Filtering of IP Fragments. Drop all fragmented IP packets to avoid teardrop attacks. However, if there are video/audio stream traffics, do not use this option. • Enable Filtering of IP Options. Drop all packets that have the words IP Options in the IP header. • Configure Logging of Packets from Allow Filters. Instructs ISA Server to record information about packets that were forwarded because of an allow filter. Always keep in mind that extra logging means extra CPU load as well as extra disk space consumption by the log.
Policies and Rules 109
Troubleshooting the firewall Most of the problems you will encounter with the firewall are the result of filter misconfiguration. You want to make sure that there is no conflict between the allow filters and the deny filters. You want to be sure that the directions of the filtering rules are set correctly. You also want to make sure that the correct types of filters are being used. ISA Server records the non-successful events that occur during its operation in the Windows 2000 Event Viewer. Event Viewer is the primary tool you use to monitor and troubleshoot problems. Each piece of an ISA Server event includes the following: • ID number. Identifies the event type. •
Event message. Describes the event.
•
Explanation. Describes the possible cause of the event.
•
User action. Describes the possible resolution actions.
For individual event messages, there are four possible severity levels: Success, Informational, Warning, and Error. Details of the error can be obtained from Microsoft’s knowledgebase.
110 Chapter 3: 70-227 Certification
III
Controlling Outbound Access
ISA Server provides policy-based access control for securely controlling outbound Internet access. There are many different types of policies available, and we will go through them all.
Configuring access control policies According to Microsoft, your first step in designing an access policy is to determine how you want to structure your access policy. If you want to make Internet access freely available to your employees, you should choose to Allow all access with the exception of specific policies that deny access. If you want to restrict the use of the Internet, choose to Deny all access except the type of access that you want to specifically allow. Of course, you can choose to deploy a combination of both types of access policy. Generally, an access policy in ISA Server consists of policy elements, protocol rules, as well as site and content rules. When ISA Server receives an outgoing client request, it checks the protocol rules and the site and content rules. A request is allowed only if the request satisfies both rules, and if there is no rule that explicitly denies the request.
Figure 3.6
ISA Management
Policies and Rules 111
Figure 3.7
ISA Management
According to the default settings, no traffic is allowed to pass to the outside world. This is because, although there is a site and content rule called "Allow Rule" to allow access to all content on all sites, there are no default protocol rules. You must configure the protocol rules manually. * To configure a rule, you must first define the various policy elements. According to Microsoft TechNet, for any outgoing request, rules are processed in the following order: • Protocol rules. •
Site and content rules.
•
IP packet filters.
•
Routing rules.
An outgoing Web request must pass though the first three sets of rules. The final stage is the routing rules, which are for determining how the request is serviced.
112 Chapter 3: 70-227 Certification
Configuring bandwidth priority You may configure new bandwidth priorities by going into the ISA Management console tree, right-clicking Bandwidth priorities, and then choosing New - Bandwidth Priority. You may define the bandwidth priority for outbound and inbound traffic separately. The valid values are between 1 and 200. Keep in mind that a higher number indicates a higher priority.
Figure 3.8
Default Bandwidth Priority Properties
You use bandwidth priorities to create rules that assign priority to specific traffic. You can give important and interactive traffic a higher priority than the other traffics. However, the priorities will be effective only if the traffics are passing through the ISA Server.
Policies and Rules 113
Configuring bandwidth policies ISA Server provides you with the capability to manage bandwidth. The broad scenario of bandwidth usage is determined by the bandwidth policies. In fact, the policies are enforced by the bandwidth rules you create.
Creating bandwidth rules to manage Internet access You can create a new bandwidth rule by going into the ISA Management console tree, right-clicking Bandwidth Rules, and then choosing New - Rule. This invokes the New Bandwidth Rule wizard.
Figure 3.9
New Bandwidth Rule Wizard
114 Chapter 3: 70-227 Certification
Figure 3.10
New Bandwidth Rule Wizard
Bandwidth rules are used to determine and arrange the priority of communication passing through ISA Server. Bandwidth rules can be based on protocol definitions, users or IP addresses, destination sets, schedules, and content types. The default rule with the lowest priority will take care of traffic to which no other bandwidth rule applies. This default cannot be deleted nor modified.
Creating site and content rules to restrict Internet access You can create a new bandwidth rule by going into the ISA Management console tree and choosing Access Policy - Site and Content Rules. You can then invoke the New Site and Content Rule wizard. In the Advanced View, you can enable, disable, or delete particular rules.
Policies and Rules 115
Site and content rules are used to specify if users or client address sets can gain access to the content on the specific destination sets.
Figure 3.11
New Site and Content Rule Wizard
Creating protocol rules to manage Internet access You can create a new protocol rule by going into the ISA Management console tree and choosing Access Policy - Protocol Rules. You can then invoke the New Protocol Rule wizard. In the Advanced View, you can enable, disable, or delete particular rules. You can use protocol rules to specify which protocols clients can use to access the Internet. When you use protocol rules, you must also pay attention to the site and content rules. This is because a user can gain access to a Web site only if a protocol rule permits the use of the required protocol and a site and content rule allows access to that site.
116 Chapter 3: 70-227 Certification
Creating routing rules to manage Internet access Routing rules can be used to determine whether a Web Proxy client request is retrieved directly from the specified destination, is sent to an upstream server, or is redirected to an alternate site. There is a default routing rule that is ordered last and is configured so that all requested objects are retrieved from the ISA Server cache. If the object is not in the cache, then it will be retrieved directly from the Internet. You can modify this rule, but you cannot delete it.
Figure 3.12
New Routing Rule Wizard
Policies and Rules 117
Figure 3.13
New Routing Rule Wizard
Pop Quiz 3.1
Pop Quiz 3.1 Questions
1) What rule is used for determining and arranging the priority of communication passing through ISA Server? 2) What rule specifies which protocols clients can use to access the Internet? 3) What rule specifies if users or client address sets can gain access to the content on the specific destination sets? 4) Bandwidth priorities will be effective only if the traffics are passing through the ISA Server. True or false? 5) What rules are used for determining how a request is serviced?
118 Chapter 3: 70-227 Certification
Pop Quiz 3.1 Answers
1) Bandwidth rule.
2) Protocol rule.
3) Site and content rule.
4) True.
5) Routing rules.
Notes:
Policies and Rules 119
IV
Troubleshooting access problems
The most common source of access problems is that the different rules that are applied towards the same goal are not configured to fit together. For example, ISA Server will allow a user to gain access to an Internet Web site only if a protocol rule permits the use of that protocol and a site and content rule allow access to the site. This means that you must configure two different rules to achieve this goal. If the rules are not configured to work together, the user will not be able to access the site at all. Once the rules are working well it becomes the responsibility of the routing rule to determine how a request is handled. If the routing rule is not configured properly, the request may be mishandled. If everything is configured properly, the next thing to check is the Internet connectivity. This is not a problem with the ISA Server, but a problem with the network infrastructure. It might also be that the target Web site is down.
User based access problems Error 502 is a common error that prevents clients’ browsers from accessing the Internet.
This can happen if:
You did not create IP packet filters or rules that allow communication. In fact, this can
also prevent users from using specific protocols.
You have an access policy rule that requires authentication but no authentication method
configured for the listener.
To correct the problem, you should create protocol rules to allow specific users to use the
protocols, and then create site and content rules that allow users access to particular sites
with the allowed protocols. Additionally, you should select an authentication method for
the listener.
120 Chapter 3: 70-227 Certification
Packet-based access problems Most of the packet-based problems may originate from the packet filters. Improper configuration of packet filters can cause useful packets to be dropped. One of the events related to packet drop is the event 14044, which gives the error message “The packet filter is dropping IP packets. More details of this event can be found in ISA Server on line help.” This problem usually arises when the IP packet drop rate exceeds the specified level. In this case, you should examine the packet filter logs and see what is wrong before taking further action. If the predefined IP packet drop rate is too low, you can adjust it by going into ISA Management and clicking Arrays – ArrayName -Monitoring configuration – Alerts - Dropped packets alert properties. If you ever encounter event 10146, it is likely that the router is configured incorrectly, leading to “Invalid Ethernet packet in use.” In this case you should check the client network configuration to make sure that the selected frame type matches the frame type used by the servers. Additionally, you should review the local router configuration for packet-length settings. Keep in mind this problem is most likely in the local network segment.
Policies and Rules 121
V
Creating new policy elements
In ISA Server, rules use policy elements. These elements are:
Predefined.
Customizable.
Extensible.
Reusable.
We use these elements to create an access policy.
As a summary, policy elements include:
Client address sets. Represents IP addresses or authenticated users and groups.
Destination sets. Represents URLs.
Protocols.
Content groups. Includes HTTP and FTP traffic.
Schedules.
Bandwidth priorities.
Policy elements Policy elements can be configured in the ISA Management console tree’s Policy Elements section: If you want to specify the days and times when a rule is active, configure the Schedules element. If you want to determine which connection gets priority over the others, configure the Bandwidth priorities element.
122 Chapter 3: 70-227 Certification
Figure 3.14
ISA Management
A rule should contain a destination set that represents one or more computers or directories on the specific computers. A rule should also contain a client address set that represents one or more computers specified by name or by IP address. Content group is the logical grouping of common file types and file extensions. Protocol definition defines the protocols to be covered.
Figure 3.15
New Routing rule Wizard
Policies and Rules 123
Content groups are used to create policy rules for controlling access based on the traffic content. For this to work, you must specify the content's Multipurpose Internet Mail Extensions (MIME) type for controlling HTTP traffic and file extension for controlling FTP traffic. You may use the predefined content groups or define new content groups for specific needs.
Schedules You can apply a schedule to a rule to specify when it is in effect. A schedule can be specified based on time and date. Rules that can have schedules include site and content rules, protocol rules, and bandwidth rules. To create a schedule, go into the console tree of ISA Management and right-click Schedules. Then click New - Schedule.
Bandwidth priorities You use bandwidth priorities to define the priority level applied to the inbound and
outbound connections. Keep in mind that:
Connections with an assigned bandwidth priority will have higher priority than
connections without assigned priorities.
Priorities are directional and can be controlled outbound and inbound.
The priority value must be between 1 and 200.
To configure bandwidth priorities, go into the console tree of ISA Management and right-
click Bandwidth Priorities. Then click New - Bandwidth priority.
Destination sets A destination set includes one or more computers or folders on specific computers that are specified by domain name or by a range of IP addresses. Internal destination sets contain computers within your local network, while external destination sets contain computers in the outside world. With destination sets, you can apply rules selectively. Put it this way, you can apply rules to all destination sets, to all computers except for the specified destination sets, or to one specific destination set.
124 Chapter 3: 70-227 Certification
According to Microsoft, the following formats can be used when you specify a destination: to include a specific directory in the destination set, use “/dir.”; to include all the files in a directory, use “/dir/*”; to select a specific file in a directory, use “ /dir/filename”. You can specify destination sets in the following types of rules: 1. Site and content rules. 2.
Bandwidth rules.
3.
Web publishing rules.
4.
Routing rules.
Client address sets A client address set consists of one or more computers. With client address sets you have the flexibility of applying rules to one or more specific client address sets or to all addresses except the specified client address sets. You may specify client address sets in the following types of rules: 1. Site and content rules. 2.
Protocol rules.
3.
Bandwidth rules.
4.
Server publishing rules.
5.
Web publishing rules.
Protocol definitions Protocol definitions are used for creating protocol rules or server publishing rules. With
protocol definitions, keep in mind that:
Protocol definitions that come with ISA Server cannot be modified or deleted.
Protocol definitions installed with application filters can be deleted but not modified.
User-defined protocol definitions can be edited or deleted.
Server publishing rules use protocol definitions whose direction is inbound only.
Policies and Rules 125
When creating a protocol definition, the items that need to be specified include port number, low-level protocol (either TCP or UDP), and direction (inbound or outbound). Optionally, you can specify one or more secondary connections that represent the range of port numbers, protocols, and directions used for additional connections.
Content groups You use content groups to specify MIME types and file extensions. This allows you to limit an application to specific content groups with a site and content rule or bandwidth rule. The limitation with content groups is that they can be applied only to HTTP and tunneled FTP traffic that passes through the Web Proxy service. Pop Quiz 3.2
Pop Quiz 3.2 Questions
1) What policy element specifies the days and times when a rule is active?
2) What is a destination set?
3) What is a content group?
4) Client address set represents one or more computers specified by name only. True
or false?
126 Chapter 3: 70-227 Certification
Pop Quiz 3.2 Answers
1) Schedules element.
2) It represents one or more computers or directories on the specific computers.
3) It is the logical groupings of common file types and file extensions.
4) False. The computers can also be specified by IP addresses.
Notes:
Policies and Rules 127
VI
Managing ISA Server arrays
In an array, all members share the same configuration and administration. Before you can set up ISA Server as an array member, the ISA Server schema must be installed to Active Directory. According to Microsoft TechNet, ISA Server includes an enterprise initialization utility that an administrator can use to install the ISA Server schema in Active Directory. This administrator must be the administrator of the local computer and be a member of the Enterprise Admin and Schema Admin groups. After the ISA Server schema is imported, all subsequent ISA Server installations to computers in the domain can use the ISA Server schema. This means initialization has to be done only once.
Creating an array of Proxy Servers There are numerous requirements to follow if you want to set up an array. These requirements include: • The enterprise must have been initialized. • All array members must be in the same domain. • All array members must be in the same site. • All array members must be installed with the same mode, be it Cache, Firewall, or Integrated. • All array members must have the same set of add-ins in order to ensure consistent functionality. Note that when you install an add-in on one array member, it will not be automatically installed on the other members. You have to perform the installation manually.
128 Chapter 3: 70-227 Certification
Assigning an enterprise policy to an array In an array, all access policies, caching policies, scheduled content downloads, and publishing and bandwidth rules are defined once at the array level and applied to all the servers. Cache space for the content cache is allocated on each server based on the amount you specify when you configure the cache. Whether or not an array policy can be created and which types of rules can be included in the array policy are solely determined by the enterprise policy settings specified by the enterprise administrator. The enterprise administrator can set up permissions to limit which administrators can configure the rules. The enterprise policy includes site and content rules and protocol rules that can be applied towards an array. According to Microsoft TechNet, if the array uses only an array policy, then you cannot modify the array's policy settings to use an enterprise policy. Likewise, if the array uses an enterprise policy, you cannot change the array's policy settings to use only an array policy. You can create an enterprise policy by going into the console tree of ISA Management – Policies and clicking New - Policy. This will invoke the New Enterprise Policy wizard. You can change the default enterprise policy settings only if no array in the enterprise is currently using these default settings. If an array is currently using the default settings, you will need to change the array's enterprise policy settings to Use custom enterprise policy settings before making changes. To create a default enterprise policy, go into the console tree of ISA Management, rightclick Policies, and then click Set defaults. Keep in mind that once you set the enterprise settings to Array policy only, you will not be able to subsequently modify the settings to Enterprise policy only. Also note that all previously defined array-level site and content rules and protocol rules will be deleted when an enterprise policy is applied to the array.
Policies and Rules 129
As an enterprise administrator, you can decide how the enterprise policy should be applied at the array level. With Enterprise policy only, only the selected enterprise policy applies and no new rules can be added at the array level. With Combined enterprise and array policy, an array policy can be added to the enterprise policy, although the enterprise policy can override the array policy. With Array policy only, the array administrator can create any rule to allow or deny access, and no enterprise policy is applied to the array. You can configure each enterprise policy to allow different administrators privileges to modify the policy. In fact, you can configure permissions for the following ISA Server objects: Enterprise policy settings, Enterprise policies, Array, Alerts, Sessions, and Gatekeeper. Different object types have different permission settings available. For Enterprise policy settings, Enterprise policies, Array, and Gatekeeper objects, Read and Full Control are the available basic permissions. The default enterprise policy permission settings allow the Enterprise Admin as well as the local system to have Full Control permission. All authenticated users have read permission. * Publishing rules cannot be created at the enterprise level. You can specify whether an array is allowed to publish servers by creating Web publishing rules or server publishing rules. * Packet filtering cannot be enabled at the enterprise level. You can enforce packet filtering at the array level though.
130 Chapter 3: 70-227 Certification
Managing remote arrays You can manage multiple ISA standalone servers at a time. Each standalone server belongs to its own array and has its own array policy that you can configure. All the arrays in the enterprise are shown in ISA Management. You can configure the arrays in the enterprise via ISA Management as long as you have the appropriate permissions. Alternatively, you can configure and run Terminal Server client for connecting to the ISA Server computer, as long as the ISA Server computer has Terminal Server installed and running. For information on Terminal Server, refer to the TotalRecall Publications, Inc. Study Guide for 70-215. According to Microsoft TechNet, in order for you to manage a remote ISA Server computer, you must make yourself a member of the Administrators or Server Operators group on the remote computer. Additionally, both the user account and the server computer must be members of the same domain or within trusted domains. You can manage a remote enterprise and arrays by going into the console tree of ISA Management, right-clicking Internet Security and Acceleration Server, and then clicking Connect.
Policies and Rules 131
VII
Chapter 3: Summary
In this chapter, we have gone through the key elements of configuring the firewall and defining various types of policies and rules. For the purpose of taking the exam, you must be familiar with which rules to use in specific conditions. You should also be able to point out the order and conflicts of rule processing. When you install the ISA Server as a standalone server or as an array member, ISA Management will show the server as belonging to an array. When you install ISA Server as an array member, you specify the array to which it belongs. When you install it as a standalone server, you specify an array with the same name as the ISA Server computer that it is created on. ISA Management is your primary tool for managing the array. For remote management, use either ISA Management or Terminal Service.
132 Chapter 3: 70-227 Certification
VIII Chapter 3: Practice Test 1. You are the network administrator of your company. You installed ISA Server 2000 on a computer. You now wish to apply some security policies for the server. Which tool should you use? A. Group policy. B. ISA Server Security Configuration wizard. C. Local policy. D. ISA Server Security policy.
2. You are the network administrator of your company. You installed ISA Server 2000 on a computer. The ISA Server is running other services like Web and database. Which level of security should you apply? A. High secure level. B. Dedicated level. C. Limited services level. D. Secure level.
3. You are the network administrator of your company. You are applying security policies for an ISA Server 2000 computer. You wish to apply the secure level policy. This computer is a domain controller in a domain. Which file is required at %systemroot%\security\templates folder? A. Basicsy.inf. B. Basicdc.inf. C. Securews.inf. D. Securedc.inf. E. Hisecws.inf. F. Hisecdc.inf.
Policies and Rules 133 4. You are the network administrator of your company. You are configuring the firewall functionality of an ISA Server. You wish to use packet filter to filter some specific external packets. Which packet filters should you apply? A. Allow filters. B. Deny filters. C. Accept filters. D. Receive filters. E. Block filters.
5. You are the network administrator of your company. You wish to secure your network. Therefore, you installed ISA Server 2000 as a firewall client. You now wish to apply additional security. What kind of filters should you use? A. External filters. B. Internal filters. C. Application filters. D. Program filters.
6. You are the network administrator of your company. You have found that some of the clients in the network are downloading video files from the Internet. You want to prevent them from downloading video files. What filter should you use? A. Scene filter. B. Display filter. C. Video filter. D. Streaming Media filter.
134 Chapter 3: 70-227 Certification 7. What does filter misconfiguration mean? A. Allow filters confliction. B. Deny filters confliction. C. Allow and deny filters confliction. D. Allow and deny filters redirection.
8. What is the first step in designing an access policy? A. Determining the numbers of access policies. B. Determining the ISA Server client mode. C. Determining the structure of the directory service infrastructure. D. Determining the structure of the network infrastructure. E. Determining the structure of the access policy.
9. For any outgoing request, rules are processed in a predefined order. What is the correct order of the following rules? IP packet filters. Routing rules. Site and content rules. Protocol rules. A. Site and Content rules - Protocol rules - IP Packet Filters - Routing rules. B. Protocol rules - IP Packet Filters - Routing rules - Site and Content rules. C. IP Packet Filters - Routing rules - Protocol rules - Site and Content rules. D. Protocol rules - Site and Content rules - IP Packet Filters - Routing rules. E. Routing rules - IP Packet Filters - Site and Content rules - Protocol rules.
Policies and Rules 135 10. You are the network administrator of your company. You are configuring the bandwidth of an ISA Server. There are two outgoing connections. Connection 1 needs more bandwidth than connection 2. You want to configure the bandwidth usage. What should you do? (Choose all that apply.) A. Go into the ISA Management console tree, right-click Bandwidth priorities, then choose New - Bandwidth Priority. B. Go into the ISA Configuration console tree, right-click Bandwidth priorities, then choose New - Bandwidth Priority. C. Set the priority to 100 and assign it to connection 1. D. Set the priority to 100 and assign it to connection 2.
11. You are the network administrator of your company. You installed the ISA Server 2000 on a computer. You need to restrict the Internet access via this computer. What rules should you apply? A. Protocol rules. B. IP Packet rules. C. Site and content rules. D. Routing rules. E. Domain rules.
136 Chapter 3: 70-227 Certification 12. You are the network administrator of your company. After installing ISA Server 2000, clients complain that they are unable to access to some Web sites over the Internet. You make sure that ISA Server 2000 allows users to access the Internet. What is the problem? A. Clients do not have the permission to access those Web sites. B. The computer running ISA Server 2000 is not connected to the Internet. C. The computer running ISA Server 2000 is crashed. D. The site and content rule denies access to those Web sites.
13. You are the network administrator of your company. After installing ISA Server 2000, clients complain that they can no longer access the Internet. You make sure that ISA Server 2000 allows users to access the Internet. You also make sure that this is not a rules configuration problem. Everything is configured properly. However, clients are still unable to access the Internet. What should you check next? A. Check all domain controllers to see if they work properly. B. Check the event viewer to see if there is a problem. C. Check the Internet connectivity. D. Check the DNS server to see if it works properly.
14. You are the network administrator of your company. You installed ISA Server 2000 on a computer. You now need to specify the days and times when a rule is active. Which element should you configure? A. Schedules. B. Bandwidth priorities. C. Days and times. D. Days and times schedules.
Policies and Rules 137 15. Before setting up ISA Server as an array member, where must you install the ISA Server schema? A. Distributed File System (DFS). B. Primary Domain Controller (PDC). C. Domain Name System (DNS). D. Active Directory (AD).
16. Which two groups must a user belong to if the user decides to install the ISA Server 2000 schema in Active Directory? A. Enterprise Admin. B. Domain Admin. C. Server Operator. D. Schema Admin. E. Local Admin.
17. Michael is unable to modify the array's policy settings of ISA Servers to use an enterprise policy. What is the reason? A. The array uses only one array policy. B. The array uses more than one array policy. C. The array doesn't use any array policy. D. The array has the "No override" GPO applied.
138 Chapter 3: 70-227 Certification 18. What will happen after you set the enterprise settings to array policy? (Choose all that apply.) A. Previously defined array site and content rules will be saved. B. You will not be able to subsequently modify the settings to enterprise policy. C. Previously defined array level site and content rules will be deleted. D. Previously defined array level protocol rules will be saved. E. Previously defined array level protocol rules will be deleted.
19. Publishing rules can be created at the enterprise level. A. True. B. False.
20. You are the help desk of your company. For some reason, you have to manage a remote ISA Server computer. However, you do not have the permission to do so. What position or positions must you have in order to manage a remote ISA Server computer? (Choose all possible answers.) A. Grant yourself a member of the Power Users group. B. Grant yourself a member of the Users group. C. Grant yourself a member of the Domain Local group. D. Grant yourself a member of the Administrators group. E. Grant yourself a member of the Server Operators group.
Policies and Rules 139
Notes:
140 Chapter 3: 70-227 Certification
IX
Chapter 3: Exercises Lab 3.1
Configure access policies and rules
Goal: In this exercise, you will configure access policy and bandwidth rules.
Task 1. Configure access policy
2.
Configure bandwidth rules.
Step-by-Step Procedure 1.
Go into the ISA Management console tree. Expand Access Policy.
2.
There are 3 options inside: Site and Content Rules, Protocol Rules, and IP Packet Filter. You can configure each of them if you want to do so. Go into the ISA Management console tree. Expand Publishing, and then right-click Bandwidth Rules and choose New Bandwidth Rule. The New Bandwidth Rule wizard appears.
1.
2.
Follow the instructions; choosing the priority of the bandwidth you want to assign.
3.
The wizard concludes all final tasks and finishes the setting.
Policies and Rules 141
Notes:
142 Chapter 3: 70-227 Certification
Lab 3.2 rules
Restricting Internet access with site and content
Goal: In this exercise, you will create content rules and configure site rules that restrict Internet access.
Task
Step-by-Step Procedure
1.
1.
Go into the ISA Management console tree. Expand Access Policy. Right-click Site and Content Rules and then choose New Rules. The Site and Content Rule wizard appears.
2.
Follow the instructions, choosing the sites and destinations you want to ban, the time you want to start the rule, and the clients to whom you want to the rule to apply.
3.
The wizard concludes all the final tasks and finishes the setting.
Create content and configure site rules that restrict Internet access.
Policies and Rules 143
Notes:
144 Chapter 3: 70-227 Certification
Lab 3.3
Policy elements
Goal: In this exercise, you will create a schedule, set up bandwidth priorities, and create destination sets.
Task
Step-by-Step Procedure
1.
1.
Go into the ISA management console tree.
2.
Right-click the Schedule option inside the Policy elements. The Setup wizard appears.
3.
Select the time you wish to run the policy.
4.
Select which rule should apply.
5.
Go into the ISA management console tree.
6.
Right-click the Bandwidth rule and select Properties.
7.
The New Bandwidth Rule wizard appears.
8.
Select the protocols to which this rule applies.
9.
Set the priorities of the bandwidth.
2. 3.
Create policy elements: Create a schedule. Set up bandwidth priorities.
Policies and Rules 145
Notes:
146 Chapter 3: 70-227 Certification
Lab 3.4
Proxy Server array
Goal: In this exercise, you will create an array of Proxy Servers and assign an enterprise policy to the array.
Task
Step-by-Step Procedure
1.
1. First, install ISA Server in Cache mode.
2.
1. Install ISA Server in Cache mode. Modify the Active Directory schema.
2.
The ISA setup program will ask you to modify the Active Directory schema in order to install ISA Server in an array. Follow its orders. Or, set up an array by running the New Array wizard via the Server and Arrays option that can be found in the ISA Management console tree.
Notes:
The Client Computers 149
Chapter 4: The Client Computers The objective of this chapter is to provide the reader with an understanding of the following: 1. Configuring Firewall clients. 2. Configuring SecureNAT clients. 3. Configuring Web Proxy clients. 4. Configuring Authentication. 5. Troubleshooting clients.
Getting Ready - Questions 1) How many different types of clients are available with ISA Server? 2) How many types of ISA clients require software installation? 3) How many types of ISA clients require browser reconfiguration? 4) How many types of ISA clients require default gateway reconfiguration? 5) In the context of SecureNAT configuration, how many types of topologies should we examine?
150 Chapter 4: 70-227 Certification
Getting Ready – Answers 1) Web Proxy, SecureNAT, Firewall.
2) Firewall.
3) Web Proxy.
4) SecureNAT.
5) Simple and complex.
I
Introduction Deploying client computers
ISA Server supports three different types of clients. According to Microsoft, you should ask yourself the following questions before deciding which client to use: Do you want to avoid the deployment of client software or the configuration of client computers? If the answer is YES, you should choose the SecureNAT client, as it does not require any software or specific configuration. Do you plan to use ISA Server only for forward caching of Web objects? If so, you should use SecureNAT client so that client requests are transparently passed to the ISA Server Firewall service and then on to the Web Proxy service for caching. Do you want to allow access only for authenticated clients? If so, you should use Firewall client so you can configure user-based access policy rules. In contrast, SecureNAT client does not support user-based authentication. Do you plan to publish servers that are located on your internal network? If so, go ahead with SecureNAT client. You can publish internal servers as SecureNAT clients to eliminate the need for creating special configuration files on the publishing server. All that you need to do is to create a server publishing rule on the ISA Server.
The Client Computers 151
Configuring Firewall client Firewall client is the client type that requires installation and configuration. You can install Firewall client software on computers that run: • Windows ME. • Windows 95. • Windows 98. • Windows NT 4.0. • Windows 2000. Note that 16-bit Winsock applications are supported only on Windows 2000 and Windows NT 4.0. Also note that you should not install the Firewall client software on the ISA Server computer itself. The command that installs the client software is Setup.exe. This file resides in the folder where the shared ISA Server client installation files exist. The ISA Server client installation files are usually located in a folder on the ISA Server computer with the share name ISA_Server_name/MSPClnt. The installation program will install the following components on the client computer: • Mspclnt.ini. Includes shared client configuration data and local domain table (LAT). • Msplat.txt. Includes shared client local address table data. • Firewall client application. When installation is complete, the Firewall client application is enabled. The above components come with default settings. You can change the settings, and then refresh the configuration for the new settings to take effect. The LAT that comes with Msplat.txt is used for determining whether the IP address is internal or external. For external addresses, all connections will be made through the ISA Firewall service. Sometimes you may want to make customized changes. You should not edit the Msplat.txt file, as it will be overwritten at regular intervals with the latest version.
152 Chapter 4: 70-227 Certification
Instead, you should create a custom client LAT file named Locallat.txt and place it in the client Firewall client folder. ISA holds the master copy of the client configuration file Mspclnt.ini. Every Firewall client receives a copy in the Firewall client installation folder. You can use ISA Management to reconfigure the master copy. You can also download the client configuration file from the server again, or change the source server via the Firewall client application. You can configure the Firewall client settings by going into the console tree of ISA Management - Client Configuration, right-clicking Firewall Client, and then choosing Properties.
Figure 4.1
Firewall Client Properties
The Client Computers 153
Troubleshooting client computers A log file is created on the client computer every time client software is installed. This log file, named Firewallc.log, resides in the Firewall client installation directory. It contains information about the setup, such as which client applications were installed and which services were started. Use this log file for troubleshooting, client installation, and configuration. One of the common problems found with the Firewall client is that the internal connection is very slow. This is because the client fails to resolve local names using an external DNS server. The client must wait for a query timeout before trying other methods of name resolution. To solve this problem, you should configure an internal DNS server to hold the names and addresses of all the internal hosts. You should also keep in mind that the Firewall client cannot dial out directly to the Internet. It must go through the ISA Server. To allow direct dial-out connection, you must disable the Firewall Client. You can enable or disable the Firewall client on the client side by going into Control Panel, double-clicking the Firewall client, and then selecting or deselecting the Enable Firewall Client check box.
154 Chapter 4: 70-227 Certification
II Planning the deployment of the client to use ISA Server services Before actually implementing client configuration, enough planning must be performed to ensure successful deployment. You need to plan for the authentication types, client types, implementation costs, and network topologies.
Client authentication ISA Server authentication determines whether a user can gain access to a site by going through the ISA Server. Depending on the type of client, different authentication methods might be used. For SecureNAT clients, access can be restricted to the Internet only based on sites, IP address, protocol, and time of day. For Firewall clients, you may use Firewall client authentication, which is entirely automatic and does not require configuration. For Web Proxy clients, you must manually configure ISA Server to require authentication when Web requests are received. You can configure authentication for outgoing Web requests by going into the ISA Management console tree, right-clicking the ISA Server, and choosing Properties Outgoing Web Requests. You can then select the Ask unauthenticated users for identification check box. Authentication Methods Depending on the client types, you can choose between the different authentication methods available. With Basic authentication, a user is prompted for a user name and password before Web access is allowed. Most browsers on the market support this method. However, since user information is sent as plain text, it is less secure than the next method, Digest authentication. With Digest authentication, hashing is used for passing user information, making this method very secure. However, this method works only in a domain where all domain controllers are running Windows 2000 and all users are using Internet Explorer 5 or later.
The Client Computers 155
With Integrated Windows authentication, either the Kerberos V5 authentication protocol or Windows challenge/response authentication is used. This method does not send the user information across the network at all. As long as the client side is using Internet Explorer 2.0 or later and the network is a Windows network, this method is considered quite safe. With Client Certificate authentication, a client must send in a certificate before the request is processed. The client certificates can be obtained from a Certificate Authority (CA) internally or externally. So far, this is the only method that requires the use of certificates. This is also considered to be the most costly and complex method.
Client operating systems You can base your decision on the client platform types. In fact, your choice of client types can be limited by the client OS. If you want full client functionality, and all your clients are using Windows operating systems, Firewall client is your ideal choice. However, bear in mind the effort you will have to spend installing the client software on each client computer. Client computers that do not have Firewall client software installed on them are referred to as SecureNAT clients. They do not require special software, and the only configuration work to be done is changing the gateway address on the clients. In this way, any OS with TCP/IP configured is supported. A Web Proxy client is a client computer that has a Web browser application with HTTP 1.1 support. The browser must be configured to use the Web Proxy service of your ISA Server in order to access the Web. As long as the browser requirement is fulfilled, this client type is fairly OS-independent.
156 Chapter 4: 70-227 Certification
Network topology When you deploy SecureNAT clients, you want to first identify the network topology: With a simple network topology, there are no routers configured between the SecureNAT the client, and the ISA Server computer. When you configure the SecureNAT clients on a simple network, you should set the SecureNAT client's default gateway to the IP address of the ISA Server computer's internal interface. With a complex network topology, you have one or more routers connecting multiple subnets between a SecureNAT client and the ISA Server computer. When you configure the SecureNAT clients on a complex network, you should set the default gateway settings to the router on the client's local segment. For this configuration to work, you must make sure that the router routes outgoing traffic to the ISA Server computer internal interface correctly
Cost and complexity As discussed before, Firewall client requires relatively more installation work to be done. Additionally, you may have to upgrade your client OS to Windows in order to deploy this client type. Web Proxy client requires a browser the supports HTTP 1.1; this means that older browsers may have to be upgraded. My recommendation is that you try to achieve a balance between implementation cost and desired functionality. Cost should not be the only issue that influences your decision.
The Client Computers 157
Client functions Apart from cost, you may also make your decision based on functionality. The following table summarizes the protocols and authentication supported by the various client types:
SecureNAT client Protocol support
User-level authentication Server application support
Firewall Client
Web Proxy Client
Requires application filters for multiconnection protocols
All Winsock applications
HTTP, HTTP-S, FTP, and Gopher
No
Yes
Yes
Yes
Yes
No
158 Chapter 4: 70-227 Certification
III
Clients for SecureNAT
SecureNAT client is a client that does not have Firewall client software installed.
Configuring client computers for SecureNAT The only configuration that must be done on the client side is configuring the default gateway so that all outgoing traffic is sent by way of the ISA Server. And since all requests from the SecureNAT client are handled by the Firewall service, the client can enjoy the security features available in ISA Server. We can also say that ISA Server extends the Windows 2000 network address translation functionality. Windows 2000 NAT does not have a native authentication mechanism, and ISA Server allows you to apply all kinds of policy for the SecureNAT clients. The only problem with the SecureNAT client type is that it does not work in cache mode.
Troubleshooting client computers for SecureNAT When the SecureNAT clients fail to connect to the Internet, it usually means that the clients are not configured properly. You must make sure that the default gateway and the DNS server are configured properly. If the SecureNAT connections to the Internet work only when the client specifies IP addresses but not computer names, you must configure the DNS server to forward the requests to an external DNS server, as the internal DNS server is not capable of resolving Internet domain names.
The Client Computers 159
If the SecureNAT clients cannot connect to a specific port due to a connection timeout, you must make sure that there is a protocol rule that allows "Any IP traffic." You must also make sure that the needed protocols are listed in the protocol definitions. If packet filtering is not available, your SecureNAT connections may be slow. In this case, you are advised to enable IP packet forwarding as well as dynamic packet filtering. Pop Quiz 4.1
Pop Quiz 4.1 Questions
1) How do you describe a simple network topology?
2) How do you describe a complex network topology?
3) How do you describe basic authentication?
4) With Integrated Windows authentication, what protocol/authentication methods are
used? 5) For SecureNAT clients, access can be restricted to the Internet only based on what?
160 Chapter 4: 70-227 Certification
Pop Quiz 4.1 Answers
1) With a simple network topology, you do not have any routers configured between the SecureNAT client and the ISA Server computer. 2) With a complex network topology, you have one or more routers connecting multiple subnets between a SecureNAT client and the ISA Server computer. 3) With Basic authentication, a user is prompted for a user name and password before being allowed Web access. 4) With Integrated Windows authentication, either the Kerberos V5 authentication protocol or Windows challenge/response authentication is used. 5) Sites, IP address, protocol, and time of day.
Notes:
The Client Computers 161
IV
Installing Firewall client software
To install the Firewall client software on the client, you must first determine the path that holds the installation files. The folder that holds the client installation files is on the ISA Server computer and the path is ISA\MSPclnt. From the client, execute the setup command in the path via the command prompt mode. Once installation is complete, you can change the post-installation settings of the Firewall client via ISA Management - Client Configuration.
Complexity of deployment The deployment of the Firewall client can be extremely complicated. Generally speaking, the default Firewall client configuration should work fine with most Winsock applications with no need for further modification. However, you may need to add and customize the client configuration information in some situations. Mspclnt.ini and Wspcfg.ini are the two configuration files that you can edit. To summarize: Mspclnt.ini: Global client configuration file.
Resides in the Firewall client installation folder.
Periodically downloaded by client to overwrite the previous versions. This is actually an
advantage. You can edit the single copy of the file on the server, and wait for the clients
to download it automatically.
The Firewall client software will first look into the local copy of this file before referring
to the local client configuration file.
Wspcfg.ini: Local client configuration file.
Settings are local to a specific client computer only.
Resides in a specific client application folder.
Will not be overwritten by the global configuration file.
162 Chapter 4: 70-227 Certification
Firewall client configuration can be extremely flexible but difficult. You can deploy settings on a global basis or on a per machine basis. One thing Firewall client does is to allow for deployment complexity, while the other client types do not.
Cost of deployment When you plan for ISA Server and client solution deployment, factors to consider should include but not be limited to: Money The cost of software upgrade in order to deploy the solution. The cost of possible hardware upgrade necessary. Manpower The man cost of installation and configuration. The man cost of user support and training. Time The time cost of installation and configuration. The time cost of user support and training.
Firewall client auto detection With the WinSock Proxy Auto Detect (WSPAD) protocol, the Firewall client software can automatically discover an ISA Server computer or array on the network and use it for access to the external world. WSPAD capability can benefit all the WinSock applications running on that computer. However, since WSPAD uses Web Proxy Auto Detect (WPAD) to find resources, for auto discovery to work you must configure the DHCP option 252 with the appropriate URL string so that WSPAD information can be sent to the client computers. Note that this option is a Microsoft vendor-specific option for IE5. Should the auto discovery process fail, the Firewall client will disable itself and pass all the WinSock calls straight through without sending them to the ISA Server computer. At the same time, it will keep trying to detect the ISA Server computer every time a WinSock call is received.
The Client Computers 163
To enable automatic discovery for Firewall clients, go to the client computer, click Start, and then point to Settings - Control Panel. Double-click Firewall client and then select Automatically detect ISA Server if the client computer should automatically attempt to find the ISA Server, using an automatic discovery setting on the DNS or DHCP server. Although this auto detection topic does not carry a lot of weight in the exam, you may want to find out more information about its structure and potential troubleshooting methods by referring to Microsoft’s knowledgebase articles ID Q260210 and Q296591. Additionally, keep in mind that Automatic Discovery for Web Proxy and Firewall client is not supported for clients that have connection to the LAN via remote access.
164 Chapter 4: 70-227 Certification
V
Using an ISA Server as an HTTP Proxy
HTTP Proxy supports Web browsers that are HTTP 1.1 compliant. To use the ISA Server as the HTTP Proxy, you must have the client’s Web browser configured to use the ISA Server computer as a proxy server.
Configuring the client computer's Web browser Let’s use Internet Explorer 5 as an example. To configure Internet Explorer 5, go into the Tools menu and select Internet Options -> Connections -> LAN Settings. Select the Use a proxy server check box. In the Address box, type the path to the ISA Server computer. In the Port section, type the port number that ISA Server uses for client connections.
Figure 4.2
Internet Options
The Client Computers 165
Figure 4.3
Internet Options
For performance reasons, you should tell your browser to bypass ISA Server when connecting to local computers by selecting the Bypass Proxy Server for local addresses check box. If you are using lots of Web browser helper applications like streaming media clients, you will need to deploy the SecureNAT client or the Firewall client in addition to the Web Proxy client, as these applications may not be able to make use of the proxy facility.
166 Chapter 4: 70-227 Certification
VI
ISA client comparison
The following table shows the comparison between the different ISA Server client features provided by Microsoft.
Feature
SecureNAT client
Firewall client
Web Proxy Client
Installation method
Default gateway configuration only
Software installation
Web browser configuration only
Operating system
Any TCP/IP capable OS
Windows platforms only
Any TCP/IPcapable OS with Web browsers supporting HTTP 1.1 or later
Protocol support
All protocols with primary connections and defined by application filters
All Winsock applications
HTTP, HTTPS, and FTP only
Explicit User-level authentication
No
Yes
No
Server publishing configuration method
No special configuration needed
Requires configuration file
N/A
The Client Computers 167
Pop Quiz 4.2
Pop Quiz 4.2 Questions 1) How do you use the ISA Server as the HTTP Proxy? 2) For performance reasons, you should tell your browser to bypass ISA Server when connecting to non-local computers by selecting the Bypass Proxy Server for local addresses check box. True or false? 3) If you are using lots of Web browser helper applications like streaming media clients, you will need to deploy the SecureNAT client or the Firewall client in addition to the Web Proxy client. True or false? 4) What applications are supported by the Firewall client? 5) What client type supports only the Windows platforms?
168 Chapter 4: 70-227 Certification
Pop Quiz 4.2 Answers 1) To use the ISA Server as the HTTP Proxy, you must have the client’s Web browser configured to use the ISA Server computer as proxy server. 2) False. 3) True. 4) All Winsock applications. 5) Firewall client.
Notes:
The Client Computers 169
VII
Chapter 4: Summary
In this chapter you learned about the different types of ISA clients. You also learned how to configure them in your enterprise. As a summary, a Web Proxy client sends requests directly to the ISA Server computer under the condition that Internet access is limited to the Web browser. SecureNAT client provides security and caching without allowing for user-level authentication. Firewall client restricts access on a per-user basis for outbound access for requests that use TCP and UDP only. You also learned about the different possible authentication mechanisms. If authentication is needed, Basic authentication is the one that is compatible with almost all of the browsers on the market. Requiring a certificate is the safest and the most secure method, at the expense of complexity and implementation cost. Windows integrated authentication is more suitable for an intranet running Windows-only platforms.
170 Chapter 4: 70-227 Certification
VIII Chapter 4: Practice Test 1. You are the network administrator of your company. You wish to avoid the deployment of client software and configuration of client computers. What kind of client mode should you choose? A. Firewall client. B. Web Proxy client. C. SecureNAT client. D. Cache client.
2. What kinds of operating systems does ISA Server Firewall client support? (Choose all that apply.) A. Windows 2000. B. Windows NT. 4.0. C. Windows NT 3.51. D. Windows NT 3.5. E. Windows ME. F. Windows 95.
3. What kinds of operating systems support 16-bit Winsock applications? (Choose all that apply.) A. Windows 95. B. Windows 98. C. Windows ME. D. Windows NT 4.0. E. Windows 2000.
The Client Computers 171 4. During the ISA Server 2000 Firewall client installation, some file or files will be copied to the hard disk. What file or files will be copied? (Choose all that apply.) A. Msplcint.ini. B. Mspclnt.txt. C. Mspcintel.ini. D. Firewall client application. E. Firewall client.
5. You are the network administrator of your company. You wish to make customized changes for a computer running ISA Firewall client. What should you do? A. Edit the Msplat.txt file. B. Edit the Msplcint.ini file. C. Create a custom client LAT file named Locallat.txt and place it in the client firewall client folder. D. Create a custom client LAT file named Remotelat.txt and place it in the client firewall client folder. E. Edit a predefined client LAT file named Latconf.txt.
172 Chapter 4: 70-227 Certification 6. You are the network administrator of your company. You suspect that the ISA Firewall client computer has some problems. You wish to check all the information about the ISA Firewall client setup, such as which client applications were installed and which services were started. In fact, you want to troubleshoot the client installation and configuration. What should you do? A. Check the security log in Event Viewer. B. Check the application log in Event Viewer. C. Check that Firewallc.log resides in the Firewall client installation directory. D. Check that Fwc.log resides in the Firewall client installation directory. 7. ISA Server holds the master copy of the client configuration file Mspclnt.ini.
8. What is one of the common problems found with the Firewall client? A. The internal connection is very slow. B. The external connection is very slow. C. The internal connection is slow if the external connection is fast. D. The external connection is slow if the internal connection is slow.
9. You are the network administrator of your company. You found that after installing the ISA Server 2000 in Firewall mode, all Firewall clients are unable to dial out directly to the Internet since it goes through the ISA Server. What should you do in order to solve this problem? A. Disable the H.323 gatekeeper. B. Reinstall the ISA Server in Firewall mode. C. Open Port 8080. D. Disable the Firewall client.
The Client Computers 173 10. You are the network administrator of your company. Since security is very important to your network, you set the client computers of the ISA Server 2000 to Digest authentication mode. All client computers are running Internet Explorer 5.0 or later in mixed mode. You find that information is not being sent properly. What is the problem? A. Client computers should run Internet Explorer 5.5 or later version. B. Client computers should run Netscape instead of Internet Explorer. C. All domain controllers should run Windows 2000. D. All domain controllers should run Windows NT 4.0.
11. SecureNAT refers to client that does not have: A. Web Proxy client software installed. B. Firewall client software installed. C. Internet Connection Sharing (ICS) installed. D. H.323 gatekeeper installed.
12. You are the network administrator of your company. There is an ISA client computer running in SecureNAT mode in your network. The network is quite complex as there are many routers. You wish to send all outgoing traffic by way of the ISA Server. What configuration do you need to change on the client side? A. Configure the default gateway as the router's on the client's local segment. B. Configure the default gateway as the ISA Server's internal IP. C. Configure the default gateway as the DHCP Server. D. Configure the default gateway as the DNS Server. E. Create a tunnel connection between the ISA Server and the client.
174 Chapter 4: 70-227 Certification 13. You are the network administrator of your company. After setting an ISA client computer as a SecureNAT client, the connection to the Internet fails. What things should you check? (Choose all that apply.) A. Make sure the DNS Server setting is correct. B. Make sure the DHCP Server setting is correct. C. Make sure the WINS Server setting is correct. D. Make sure the subnet mask setting is correct. E. Make sure the default gateway setting is correct.
14. You are the network administrator of your company. After setting an ISA client computer as a SecureNAT client, the ISA client computer cannot connect to some specific ports due to a connection timeout. What things should you check? (Choose all that apply.) A. Make sure the DNS Server setting is correct. B. Make sure there is a protocol rule that allows "Any IP traffic." C. Make sure the needed protocols are listed in the protocol definitions. D. Make sure the default gateway setting is correct.
15. When packet filtering is not available, SecureNAT connections may be slow. In this case, what should you do? A. Enable IP packet forwarding. B. Disable IP packet forwarding. C. Enable static packet filtering. D. Enable dynamic packet filtering.
The Client Computers 175 16. You are the network administrator of your company. There is an ISA Server in the network. You want to use the ISA Server as the HTTP proxy. What must you configure? A. Configure the Active Directory to use the ISA Server as a proxy server. B. Configure the Internet Information Server (IIS) to use the ISA Server as a proxy server. C. Configure the Web browser to use the ISA Server as a proxy server. D. Configure the Primary Domain Controller (PDC) to use the ISA Server as a proxy server.
17. You are the network administrator of your company. There is an ISA Server in the network. You want to increase the performance of the Web browser. What should you do? A. Configure the Web browser to bypass ISA Server when connecting to local computers. B. Configure the Web browser to go through ISA Server when connecting to local computers. C. Configure the Web browser to bypass ISA Server when connecting to remote computers. D. Configure the Web browser to go through ISA Server when connecting to remote computers.
176 Chapter 4: 70-227 Certification 18. Michael is using lots of Web browser helper applications like streaming media clients. These applications may not be able to make use of the proxy facility. What should you do? A. Deploy the SecureNAT client. B. Deploy the Web Proxy client. C. Deploy the Firewall client. D. Deploy the SecureNAT client in conjunction with the Firewall client. E. Deploy the SecureNAT client or the Firewall client in addition to the Web Proxy client.
19. Using Basic authentication on the ISA client side is not recommended. What is the reason? A. Most of the Web browsers do not support this type of authentication method. B. It is not as secure as PAP authentication method. C. It sends user name and password before allowing Web access. D. It sends user name and password after allowing Web access.
20. You are the network administrator of your company. There is an ISA client computer running in SecureNAT mode in the network. The network is quite simple as there are no routers. You wish to send all outgoing traffic by way of the ISA Server. What configuration do you need to change on the client side? A. Configure the default gateway as the router's on the client's local segment. B. Configure the default gateway as the ISA Server's internal IP. C. Configure the default gateway as the DHCP server. D. Configure the default gateway as the DNS server. E. Create a tunnel connection between the ISA Server and the client.
The Client Computers 177
Notes:
178 Chapter 4: 70-227 Certification
IX
Chapter 4: Exercises Lab 4.1
Deployment of client computers
Goal: You will plan the deployment of 200 client computers for use with an ISA Server. (Paper planning exercise.)
Task
Step-by-Step Procedure
1.
1.
Install ISA Server on a computer.
2.
Set up 200 client computers and configure the operating system properly.
3.
Physically connect all client computers to the ISA Server.
4.
Assign ISA Server’s default gateway to all client computers.
Set up an ISA Server.
The Client Computers 179
Notes:
180 Chapter 4: 70-227 Certification
Lab 4.2
SecureNAT
Goal: In this exercise you will configure and troubleshoot the client computer for use with SecureNAT.
Task
Step-by-Step Procedure
1.
1.
Launch Internet Explorer 5.0 or greater browser.
2.
Select Tools, Options, go to Connections tab, choose LAN setting. Make sure the browser is using a proxy server.
3.
Launch the command prompt and type ipconfig/all to check out the default gateway address. Make sure the default gateway is the same as ISA Server’s IP address.
Configure and troubleshoot all client computers for use with SecureNAT.
The Client Computers 181
Notes:
182 Chapter 4: 70-227 Certification
Lab 4.3
HTTP Proxy
Goal: In the exercise you will configure the client computer’s Web browser.
Task 1. Configure the client computer’s Web browser to use a proxy server
Step-by-Step Procedure 1. Launch Internet Explorer 5.0 or greater browser. 2. Go to Tools, Choose Option. 3. Go to Connection, choose LAN setting. 4. Enable the browser to use a proxy server.
Notes:
Using ISA Servers 185
Chapter 5: Using ISA Servers The objective of this chapter is to provide the reader with an understanding of the following: 6. Configuring logging. 7. Understanding events. 8. Configuring alerts. 9. Configuring intrusion detection. 10. Using Netstat, Telnet, and Network Monitor. 11. Performance monitoring.
Getting Ready - Questions 1) What types of databases does ISA Server logging support?
2) An alert triggers an event. True or false?
3) What tool do you use to monitor the performance counter?
4) ISA Server uses its own SMTP function for e-mail alerts. True or false?
5) Network Monitor comes with ISA Server. True or false?
186 Chapter 5: 70-227 Certification
Getting Ready - Answers 1) Any ODBC compliant database.
2) False.
3) System Monitor.
4) False.
5) False.
I
Introduction
In this chapter we will look at the monitoring and reporting strategy for our ISA solutions. You should plan for and document your strategy.
Managing ISA Server To truly “manage” an ISA Server, you will need to perform the following duties regularly: • Monitor the real time statuses. •
Monitor the longer-term performance data.
•
Inspect the log files.
Generally speaking, the following items are critical enough that they deserve your special attention: • Real-time alerts. •
Performance trends.
•
Security-related events.
Using ISA Servers 187
Monitoring ISA Servers When we talk about monitoring the ISA Server, we need to distinguish between real-time monitoring and performance monitoring. With real-time monitoring, you can centrally view all the alerts that have occurred on the ISA Server computer(s) running either standalone or in an array. Additionally, you can view the active client sessions to determine which clients are using the ISA Server to communicate with the Internet. All these occur in real time, and you will rely more on the use of alerts. Performance monitoring, on the other hand, does not need to use real-time information. Your goal will be to analyze and understand how your ISA Server is performing. You will need to track trends and changes in performance, as well as to track the effects of configuration changes. This process will likely involve the use of logs and reports in addition to alerts. The Windows 2000 Performance Logs and Alerts tool helps you collect performance data about the computer’s activities from within your ISA Server computer.
Analyzing ISA Servers As an ISA Server administrator, you should know how to configure real-time alerting for the most critical issues. Issues such as security breaches and DOS attacks can be classified as critical. You do not want to receive alerts for every single issue. You just want your attention to be caught by the most critical issues.
188 Chapter 5: 70-227 Certification
Figure 5.1
Sample Alert
Using ISA Servers 189
Figure 5.2
ISA Management
You should also review the event logs frequently for the less critical events. Building summary reports to capture information from all the logs is very important for your administrative work. This allows you to spot the trends. In addition to alerts and logs, you can analyze the performance of your ISA Server via the various performance counters. The Performance Logs and Alerts tool for Microsoft ISA Server has all the default counters pre-loaded. You can add additional counters for each performance object within ISA Server. Keep in mind though that the performance monitoring facility is not available in a remote administration installation. We will revisit these various performance counter topics later in this chapter.
190 Chapter 5: 70-227 Certification
II
Monitoring security and network usage
Most of the related information required for monitoring ISA Server security can be provided by the logging facility. As an administrator, you should regularly inspect the log to find out if possible access violations have occurred.
Using logging When you configure logging for a standalone ISA Server, the log is available for that server only. When you configure logging for an array, ISA Server generates logs for each server in the array. The logs include information mainly for access and security activity. The types of ISA log files include Packet filter logs, Firewall service logs, and Web Proxy service logs. There are three major types of log formats: • W3C. This format is compatible with the reporting applications that recognize the World Wide Web Consortium format. This format uses the “tab” character as the delimiter. The date and time fields are based on Greenwich Mean Time. • ISA format. This format is useful only when you have a reporting application that can interpret ISA Server logs. This format uses a comma as the delimiter. The date and time fields are local. • ODBC database. This format works if ODBC is configured properly. You can classify the available log files as: Security Logs • Logs that hold security related information. Network Logs • Logs that hold network traffic and access related information.
Using ISA Servers 191
Configuring Logging By default, ISA Server saves its log files to the ISA Logs folder under the installation folder. You can configure log settings by going into ISA Management’s console tree and clicking Logs, then selecting Packet filters - Firewall service (or Web Proxy Service) Properties. Then you will need to decide whether to save the log to a file or to a database, and make sure that Enable logging for this service is enabled on the Log tab. Additionally, you can specify the fields to be included in the log.
Figure 5.3
Sample Log
192 Chapter 5: 70-227 Certification
Logging Packet Filter Activity By default, the ISA Server will log all dropped packets. Keep in mind that the more things that are written to a log, the heavier the load is on the CPU. The more information you log, the more information you will have handy in case you need to perform an analysis. This is a tradeoff you need to consider. To configure logging of packets by a specific filter, you can go into the ISA Management console and proceed through Access Policy -> IP Packet Filters. Right-click the appropriate packet filter and choose Properties – General.
Using alerts In ISA Server, you can define alerts to take action should particular events be detected. Put it this way: an event triggers an alert. Some of the commonly used events in ISA Server include: • Alert action failure. • Failed to retrieve object.
• Asymmetric installation. • Cache container initialization error.
• • •
• Cache container recovery complete.
• • • • • •
Cache file resize failure.
• • • •
Component load failure.
Cache initialization failure. Cache recovery completed. Cache write error. Cached object ignored. Client/server communication
failure.
Configuration error. Dial-on-demand failure. DNS Intrusion.
• Event logging failure.
• • • •
Intra-array credentials. Intrusion detected. Invalid dial-on-demand credentials. Invalid ODBC log credentials. IP packet dropped. IP protocol violation. IP spoofing.
Using ISA Servers 193
• Log failure. • Network configuration • • • •
• •
Service shutdown. Service started.
changed.
• SMTP filter event.
OS component conflict.
• • •
Oversize UDP packet. POP intrusion. Report summary generation failure.
• Resource allocation failure.
• •
• RPC filter - server connectivity changed.
• Server publishing failure. • Service initialization failure. • Service not responding.
SOCKS configuration failure. SOCKS request was refused. The server is out of array's site.
Unregistered event.
Upstream chaining credentials.
• •
Web Proxy routing failure.
•
WMT live stream splitting failure.
Web Proxy routing recovery.
You will need to define alerts to handle these events. You can define more advanced alert actions through the use of scripts.
Configuring alerts You can create an alert by going into the ISA Management console, selecting the server, and proceeding through Monitoring Configuration –> Alerts –> New -> Alert. This invokes the New Alert Wizard. Possible alert actions include: • Sending e-mail messages. • Running a program. • Reporting the event to Windows 2000 event log. • Stopping selected ISA Server services. • Starting selected ISA Server services.
194 Chapter 5: 70-227 Exam
Sending E-Mail Messages to Administrators When you choose to send e-mail messages, you must have a separate SMTP service available. This service can reside on the same server or on a different server. However, you must make sure that there is no packet filter that prevents ISA Server from communicating with the SMTP server. Automatic Alert Configuration After you create an alert, you can configure its properties. In fact, you can specify the number of occurrences before an alert is issued, the number of events per second to occur before an alert is issued, whether to reissue an alert immediately if an event recurs, reissue an alert only after the alert is reset, or reissue an alert after a specified amount of time. Monitor Alert Status When an alert occurs, the corresponding action is performed and recorded. If you have configured an alert to perform an action only after a manual reset, you must manually reset the alert before ISA Server will issue the same alert again. You can view and reset an alert by going into the ISA Management console and proceeding through Monitoring – > Alerts.
Configuring intrusion detection With ISA Server, intrusion detection can happen at the packet filter level and the application filter level. At the packet filter level, you can configure ISA Server to detect the following intrusions: • All ports scan attack. •
IP half scan attack.
•
Land attack.
•
Ping of death attack.
•
UDP bomb attack.
•
Windows out-of-band attack.
You can configure IP intrusion detection by going into the ISA Management console and proceeding through Access Policy -> IP Packet Filters –> Properties -> General. You can also select the type of intrusions on the Intrusion Detection tab.
Using ISA Servers 195
At the application level, you can configure ISA Server to detect the following DNS or POP attacks: • DNS hostname overflow. •
DNS length overflow.
•
DNS zone transfer from privileged ports (1–1024).
•
DNS zone transfer from high ports (above 1024).
•
POP buffer overflow.
You can configure the DNS intrusion detection filter by going into ISA Management – Extensions - Application Filters - DNS Intrusion Detection Filter – Properties – Attacks. You can configure the POP Intrusion Detection filter by going into ISA Management – Extensions - Application Filters - POP Intrusion Detection Filter – Properties – General. Pop Quiz 5.1
Pop Quiz 5.1 Questions
1) Which logging format is compatible with the reporting applications that recognize the World Wide Web Consortium format? 2) Which logging format uses a comma as a delimiter? 3) By default, ISA Server saves its log files to: 4) With ISA Server, intrusion detection can happen at the packet filter level and the application filter level. True or false? 5) DNS or POP attacks can be detected at which level?
196 Chapter 5: 70-227 Exam
Pop Quiz 5.1 Answers
1) W3C.
2) ISA.
3) The ISALogs folder.
4) True.
5) Application level.
Notes:
Using ISA Servers 197
III
Troubleshooting network usage problems
Windows 2000 provides Arp, Ping, Ftp, Netstat, and NBTstat for troubleshooting network connectivity. They can be used to provide useful information when you are trying to determine the root cause of TCP/IP networking problems with ISA Server.
Using Netstat Netstat is the most commonly used command for detecting inbound network connections. It shows the status of all activity on the TCP and UDP ports on the ISA Server local system. According to Microsoft TechNet, the state of a good TCP connection is usually established with 0 bytes in the send and receive queues. If data is blocked in either queue or if the state is irregular, there is probably a problem with the connection. If not, you are probably experiencing network or application delay.
Figure 5.4
Active Connections
198 Chapter 5: 70-227 Exam
Using Telnet You can use the Telnet tool to verify that the computer is configured to permit connections on particular ports. To do so, type the following command: telnet
<port>. If you don’t receive an error message, the computer is configured to permit connections on that port. If you receive an error message, the computer may not be configured to permit connections on that port. You may then want to check the corresponding settings on ISA Server to permit connections again. If Telnet opens and then immediately closes a session, you can still rest assured that the connection to the port is allowed.
Testing the external ports using Network Monitor Another valuable tool you can use is Network Monitor. It allows you to capture packets for further inspection. It also gives you the ability to automatically begin capturing network information upon starting a particular application.
Figure 5.5
Microsoft Network Monitor (Ethernet)
Using ISA Servers 199
Figure 5.6
Microsoft Network Monitor (Capture)
From the captured data, you may be able to find out if there has been an attack, or if there is traffic towards particular ports.
Figure 5.7
Microsoft Network Monitor (Capture 1 (Hex))
Network Monitor is an optional tool included with Windows 2000 Server. This, however, is only a limited version. The full-featured version is included in the Systems Management Server, which must be purchased separately.
200 Chapter 5: 70-227 Exam
IV
Troubleshooting security problems
Netstat, Telnet, and Network Monitor can be used to provide useful information when you are trying to determine the cause of network security problems with Windows 2000 Server and ISA Server.
Using Netstat With Netstat, you can find out if excessive dummy packets are being sent to your server with a DOS attempt. You can also check and find out the states and address information of the currently active ports. This tool will help you determine if the filtering function provided by ISA Server is functioning as intended.
Using Telnet Try to Telnet to the ISA Server and penetrate into the internal network. Telnet is one of the most popular tools used by hackers. If you can successfully telnet into a host, it is likely that the filter configuration has not been done properly.
Using Network Monitor Network Monitor allows you to really “look into” the packets that pass by the ISA Server. You can capture traffic for further analysis and determine if attack attempts exist.
Using ISA Servers 201
V
Analyzing the performance of ISA Servers
You can use the reporting feature of the ISA Server to summarize and analyze the communication patterns. You can also schedule ISA Server to generate the reports periodically. This is much easier than writing custom scripts or SQL queries.
Using reports You can use ISA Server or other third-party reporting applications to create ISA Server reports. ISA Server comes with a set of predefined report formats for you to use. The available report types include: • Summary report. Shows network traffic usage; is based on data from the Web Proxy service logs and Firewall service logs. • Web usage report. Shows the top Web users, common responses, and Web browsers; is based on the Web Proxy service logs. • Application usage report. Shows Internet application usage; is based on the Firewall service logs. • Traffic and utilization report. Displays total Internet usage, average traffic, peak simultaneous connections; cache hit ratio, errors, and other statistics; is based on data from the Web Proxy service logs and the Firewall service logs. • Security report. Shows network security breaching attempts; is based on data from the Web Proxy service logs, the Firewall service logs, and the Packet filter logs.
202 Chapter 5: 70-227 Exam
Figure 5.8
ISA Management
Keep in mind that reports can only be viewed on the ISA Server computer where they are created.
Creating reports ISA Server combines the summary logs from the ISA Server computers into a database on each ISA Server. When you create a report, all the relevant summary databases are combined into a single report database. To create and view a report, follow these steps: 11. Enable logging for the relevant ISA Server components. 12. Enable reporting. 13. Enable daily and monthly report gathering. 14. Create scheduled report job. 15. View the reports.
Using ISA Servers 203
ISA Management can do all of these. Note that before you can view a report, you must create and run a report job. You can schedule a report job to run at a specific time or you can schedule report jobs to run at regular intervals. To create a report job, go into the ISA Management console and proceed through Monitoring Configuration -> Report Jobs –> New -> Report Job –> General. The reports will appear in the Report subfolders. Since the database generation process is resource-intensive, you should avoid running it during peak hours.
Viewing and saving reports To view a report, go into the console tree of ISA Management, choose the applicable report type, and right-click the applicable report in the details pane to open it. To save a report, go into the console tree of ISA Management, choose the applicable report type, and right-click the applicable report in the details pane. Then choose Save As. Additionally, you can specify the Save as type as Web Page (*.htm; *html). Pop Quiz 5.2
Pop Quiz 5.2 Questions
1) What command shows the status of all activity on TCP and UDP ports on the ISA Server local system? 2) List the correct Telnet syntax. 3) What report shows the network traffic usage? 4) What report displays total Internet usage? 5) What report shows network security breaching attempts?
204 Chapter 5: 70-227 Exam
Pop Quiz 5.2Answers 1) Netstat –a.
2) Telnet <port>.
3) Summary report.
4) Traffic and utilization report.
5) Security report.
Notes:
Using ISA Servers 205
VI
Optimizing the performance of an ISA Server
ISA Server includes many performance counters for monitoring the details of server operation. You can also tune ISA Server performance settings to meet your needs. The tool to use for monitoring the performance counters is System Monitor, which is another name of the Windows NT Performance Monitor.
Capacity planning One of the most important issues an administrator will face is determining if the current IT capacity is enough to accommodate current and future network needs. By using System Monitor, you can find out if the current systems are running close to their limits. If so, take action accordingly to upgrade your hardware and software. In fact, many of the performance-related topics found in Exam 210 and 215 can be applied to this exam as well.
Allocation of priorities When resources are scarce, you can assign priorities to different groups of users, as a temporary measure. Bandwidth is one of the resources that is always in high demand. Disk space is another good example. In previous chapters, we talked about bandwidth priorities and bandwidth controls. Always remember that the ultimate goal is to upgrade the infrastructure so that resources are abundant. Allocating priorities is only seen as a temporary measure.
Trend analysis To perform trend analysis, just using logs may not be efficient. One way to do trend analysis is to store the log entries in a relational database system so that you can perform complex queries and analysis on them.
206 Chapter 5: 70-227 Exam
To do this, you need to rely on the 32bit ODBC support in your Windows platform. The
ISA Server CD-ROM includes the following sample scripts in the \ISA folder to assist
you in configuring logs to be stored via ODBC:
Pf.sql defines the Packet Filter log table (PacketFilterLog).
W3p.sql defines the Web Proxy service log table (WebProxyLog).
Msp.sql defines the Firewall service log table (FirewallLog).
Microsoft suggests that you take the following steps to create your own log database:
Open the database application.
Create a new query.
Paste in the text from the applicable database file.
Run the query to create the table.
Once the log data is in the database, you can perform further analysis using different
RDBMS queries and report techniques.
Analyzing ISA Server performance using Performance Monitor You can view the critical ISA Server performance counters by opening ISA Server Performance Monitor from the Microsoft ISA Server menu. Keep in mind that according to Microsoft TechNet, the performance monitoring facility is not available in a remote administration installation.
Using ISA Servers 207
Figure 5.9
ISA Server Performance Monitor
The common ISA Server performance objects are: • ISA Server Cache. Includes counters for monitoring memory, disk, and URL activity associated with the cache. • ISA Server Firewall Service. Includes counters for monitoring Firewall Service connections and associated services. • ISA Server Packet Filter. Includes counters for monitoring packet filtering activity. • ISA Server Web Proxy Service. Includes counters for monitoring the number of users and the rate at which the data is transferred.
208 Chapter 5: 70-227 Exam
There are a number of default counters that you might found useful: • Active Sessions. Counts the number of active sessions for the Firewall service and determines the routine ISA Server usage. • Active TCP Connections. Counts the total number of active TCP connections. • Active UDP Connections. Counts the total number of active UDP connections. • Cache Hit Ratio (%). A Web Proxy service counter that indicates the effectiveness of the cache. A high percentage indicates faster response times due to effective cache usage. • Cache Running Hit Ratio (%). A Web Proxy service counter that is similar to the Cache Hit Ratio counter, except that it measures for the last 10,000 requests serviced only. • Client Bytes Total/Sec. A Web Proxy service counter that shows the total rate for all bytes transferred between the ISA Server computer and Web Proxy clients. • Current Average Milliseconds/Request. A Web Proxy service counter that displays the average amount of time it takes ISA Server to process a request. The lower the amount of time the better. • Current Users. A Web Proxy service counter that indicates the number of clients currently running the Web Proxy service. • Disk Cache Allocated Space (KB). Indicates the amount of disk space being used by the disk cache. • Max URLs Cached. Indicates the maximum number of URLs stored in the cache. • Memory Cache Allocated Space (KB). Measures the amount of space being used by the memory cache. • Requests/Sec. A Web Proxy service counter that monitors the rate of incoming requests made to the Web Proxy service. • SecureNAT Mappings. A Firewall service counter that tracks the number of mappings created by SecureNAT.
Using ISA Servers 209 • Total Dropped Packets. Indicates the total number of dropped or filtered packets. • URL Commit Rate (URL/sec). A cache counter that measures the speed at which URLs are being written to the cache. • URLs in Cache. A cache counter that measures the current number of URLs stored in cache. Details of using the System Monitor are covered in Exam 70-215. Your focus for Exam 70-227 is the appropriate counters to use for monitoring ISA Server.
Analyzing performance of ISA Servers using reports As mentioned before, you can use ISA Server or another third-party reporting application to create ISA Server reports. ISA Server comes with a set of predefined report formats for you to use. Summary report shows network traffic usage, Web usage report shows the top Web users, Application usage report shows Internet application usage, Traffic and utilization report displays total Internet usage, average traffic, peak simultaneous connections; cache hit ratio, errors and other statistics. With the reporting feature of the ISA Server, you can easily summarize and analyze the performance data collected.
Analyzing performance of ISA Servers using logs According to Microsoft, the default ISA Server performance counters are part of a sample log that is stored in %systemroot%\perflogs. This sample binary log can be started manually, and will be updated every 15 seconds until it reaches the maximum size. Corresponding performance data can be viewed in System Monitoring in the Performance console, in various formats.
210 Chapter 5: 70-227 Exam
You can create new log files and choose counters from a number of performance objects.
You can also specify the type of log file, log file location, and scheduling configuration.
Keep in mind that, for the purpose of performance analyzing, Microsoft recommends that
log files should be chosen if the following are desired:
Extended monitoring.
Record-keeping.
On the other hand, graph data is more useful for short-term and real-time monitoring.
Controlling the total RAM used by ISA Server for caching With System Monitor you can closely monitor the cache usage through the series of
Cache performance counters.
To find out if more RAM should be allocated for caching, use the following guidelines:
If “URLs in cache” and/or “Total URLs cached” is low, the cache may not be configured
for optimal use, or the cache size may be too small.
A low “Total memory bytes retrieved (KB)” number indicates that memory resources
dedicated for caching are not being used efficiently.
A high “Total memory bytes retrieved (KB)” number indicates that more memory
resources should be allocated to the cache.
A high Memory usage ratio percent (%) indicates that you should consider allocating
more available memory resources to the cache.
A low Memory usage ratio percent (%) indicates that the memory resources would be
better used elsewhere.
Using ISA Servers 211
Apart from disk cache configuration, you can also configure the percentage of total memory to use for caching by going into the console tree of ISA Management, rightclicking Cache Configuration, and then going to Properties - Advanced - Percentage of available memory to use for caching. You can enter a number between 1 and 100. This number specifies the maximum percentage of memory that should be allocated for caching. You should keep in mind that RAM cache is much faster than disk cache. However, if you allocate too much of the physical RAM for caching, performance of other system services will be adversely affected. You will have to strike a balance in the configuration.
212 Chapter 5: 70-227 Exam
VII
Chapter 5: Summary
This chapter focuses on the ISA Server monitoring and performance optimizing techniques. The alert service of ISA Server notifies you when specified events occur. You can configure alerts to trigger actions in response to those events. The alert service will catch and check the events, and then take the corresponding actions. Obtaining performance data is an important factor in analyzing and understanding how ISA Server is performing. You can use System Monitor together with the appropriate objects and counters to understand your server workload and its corresponding impact on resources, track trends, and changes in performance; test and track the effects of configuration changes; and diagnose any problems that may occur.
Using ISA Servers 213
VIII Chapter 5: Practice Test 1. Generally speaking, what items are the most critical to the monitoring and reporting strategy for ISA solutions? (Choose all that apply.) A. Real-time alerts. B. Performance trends. C. Permission Ssttings. D. Security-related events. E. Bandwidth settings.
2. As an ISA Server administrator, you should: (Choose all that apply.) A. Configure real-time alerting for the most critical issues. B. Receive alerts for every single issue. C. Review the event logs frequently for the less critical events. D. Build summary reports to capture the information from all the logs that is the most important to your administrative work.
3. You are the network administrator of your company. You want to send email messages via an ISA Server. What things should you make sure of first? (Choose all that apply.) A. Have a merged SMTP service available. B. Have a separated SMTP service available. C. Make sure there are some packet filters that access the ISA Server from communicating with the SMTP server. D. Make sure there is no packet filter that prevents ISA Server from communicating with the SMTP server.
214 Chapter 5: 70-227 Exam 4. What are the major types of formats for log files? (Choose all that apply.) A. W3C. B. COM+. C. ISA. D. ODBC. E. TXT. F. INI. G. LAT.
5. In ISA Server 2000, you can define alerts to take some actions should particular events be detected. What are the commonly used events in ISA Server? (Choose all that apply.) A. Alert action failure. B. Alert action success. C. Asymmetric installation. D. Asymmetric configuration. E. Cache container initialization error. F. Cache container recovery complete. G. Cache file resize failure. H. Cache file resize success.
Using ISA Servers 215 6. In ISA Server 2000, you can create an alert by going into ISA Management, selecting the server, and choosing Monitoring Configuration, Alerts, New, then Alert. This will invoke the New Alert Wizard. What alert actions does it include? (Choose all that apply.) A. Sending e-mail messages. B. Running a program. C. Reporting the event to Windows 2000 Event Viewer - Security log. D. Stopping selected ISA Server services. E. Starting Selected ISA Server services.
7. By default, where does ISA Server save its log files? A. Installation folder. B. System32 folder. C. System folder. D. ISA folder. E. %root%\.
8. You are the network administrator of your company. Since some intruders are trying to attack your network, you wish to configure IP intrusion detection on the ISA Server computer. Where can you configure IP intrusion detection for the ISA Server computer? A. ISA Management - Access Policy - IP Packet Filters - Properties - General. B. ISA Management - Security Policy - IP Packet Filters - Properties - Security. C. ISA Management - Access Policy - Deny Access - Properties - General. D. ISA Management - Security Policy - Deny Access - Properties - Security.
216 Chapter 5: 70-227 Exam 9. What kind of attacks can ISA Server detect at the application level? (Choose all that apply.) A. DNS size overflow. B. DNS length overflow. C. DNS Hostname overflow. D. DNS zone transfer from privileged ports (1-1024). E. DNS zone transfer from high ports (above 1024). F. POP buffer overflow. G. POP size overflow.
10. What tools can assist you to determine the causes of TCP/IP networking problems with Windows 2000 Server and ISA Server? (Choose all that apply.) A. IPCONFIG. B. TRACERT. C. ARP. D. PING. E. FTP. F. NBTSTAT. G. NETSTAT.
Using ISA Servers 217 11. Why is Netstat -a the most commonly used command for detecting connections? A. It shows the status of all activity on HTTP and FTP on the ISA client computers. B. It shows the status of all activity on HTTP and FTP on the ISA Server local system. C. It shows the status of all activity on TCP and UDP ports on the ISA client computers. D. It shows the status of all activity on TCP and UDP ports on the ISA Server local system.
12. Telnet tool is used to verify that the computer is configured to permit connections on particular ports. How do you know if the computer is configured to permit connections on a specific port successfully? A. There is a message box telling you that the configuration is successful. B. There is no error message. C. The system makes a sound to remind you. D. The system reboots automatically.
13. Network Monitor is an optional tool included with Windows 2000 Server. This, however, is only a limited version. What is the full-featured version that must be purchased separately? A. Advanced Network Monitor. B. Network Monitor second edition. C. Network Monitor server. D. Systems Management Server.
218 Chapter 5: 70-227 Exam 14. You are the network administrator of your company. You want to use ISA Server reporting application to review reports created earlier. Unfortunately, you are unable to locate the reports. You make sure that no one has touched any of these reports. You also make sure that you didn't assign any security to this report. What is the reason? A. The reports are encrypted. B. The reports have been deleted. C. The reports do not reside on this computer. D. The reports are hidden. E. The reports have expired.
15. You are the network administrator of your company. You want to create and view a report. What steps will you need to follow? (Choose all that apply.) A. Enable logging for the relevant ISA Server components. B. Enable logging for the relevant ISA client computer components. C. Enable reporting. D. Enable daily and monthly report gathering. E. Change all ISA Firewall clients to other modes. F. Create scheduled report jobs.
Using ISA Servers 219 16. You are the network administrator of your company. You want to monitor the performance of ISA Server 2000. What program should you run? A. Performance Monitor. B. Performance Counters. C. System Counters. D. System Monitors E. System Manager.
17. You are the network administrator for your company. You want to view a report created earlier by ISA Server. There is only one server running ISA Server in the network. You make sure that you have all the permissions for accessing this computer. You also make sure that no one has touched this computer before. Finally, you make sure that there is no hardware failure. However, you are unable to locate any report created by ISA Server. What is the problem? A. The ISA Server has crashed. B. Intruders have attacked and deleted the reports. C. You didn't actually run a report job. D. This computer is not a member server of a domain.
220 Chapter 5: 70-227 Exam 18. How do you view a report created by ISA Server 2000? A. ISA Management - choose report type - right-click the applicable report to open it. B. ISA Reporting Center - choose report type - right-click the applicable report to open it. C. ISA Manager - choose report type - right-click the applicable report to open it. D. ISA Reporter - choose report type - right-click the applicable report to open it.
19. You are the network administrator of your company. You want to view the critical ISA Server performance counters. Where should you view them? A. Open ISA Server System Monitor from the ISA Server menu. B. Open ISA Server Performance Monitor from the ISA Server menu. C. Type sms in a shell window. D. Type perfm in a shell window.
Using ISA Servers 221 20. You are the network administrator of your company. Michael is unable to save a report created by ISA Server 2000. He calls you for help. How do you save the report for him? A. ISA Management - choose the applicable report type - right-click the applicable report - Save as - .htm, .html B. ISA Management - choose the applicable report type - right-click the applicable report - Save as - .txt, .doc C. ISA Management - choose the applicable report type - right-click the applicable report - Save as - .isa D. ISA Management - choose the applicable report type - right-click the applicable report - Save as – sys
Notes:
222 Chapter 5: 70-227 Exam
IX
Chapter 5: Exercises Lab 5.1
Monitoring the ISA Server
Goal: In this exercise you will monitor, manage, and analyze the ISA Server.
Task
Step-by-Step Procedure
1.
1.
2.
3.
Creating alerts.
Monitoring sessions.
Performance Monitor.
Go into the ISA Management console tree.
2.
Right-click the Monitoring Configuration, choose Alerts, than choose New. The New Alert Wizard appears.
3.
Follow the Wizard instructions to complete the creation.
1.
1.Go into the ISA Management console tree.
2.
Click the session option.
3.
All current sessions appear in the right pane.
4.
Analyze the session details.
1.
Click Program on the Start menu, select Microsoft ISA Server, then choose Performance Monitor.
2.
Configure any alert logs that you like.
3.
Start monitoring.
Using ISA Servers 223
Notes:
224 Chapter 5: 70-227 Exam
Lab 5.2
Monitor network and security
Goal: In this exercise you will set up and monitor security using the available security and network logs. You will set security and network alerts that will detect Internet intrusions.
Task
Step-by-Step Procedure
1.
1.
Go into the ISA Management console tree. Expand Monitoring, right-click Alerts, and choose New Alert. The New Alert Wizard appears.
2.
Choose a name for the new alert.
3.
Choose an event or condition that will trigger the alert.
4.
Choose an action to be performed when the alert is triggered.
5.
Plan the time for the alert to starting running.
1.
Go into the ISA Management console tree. Expand Monitoring, right-click Logs, and choose New Log. The New Log Wizard appears.
2.
Choose a name for the new log.
3.
Choose what things you need to log. For example, packet filters, firewall service, Web Proxy service.
4.
4. Choose a place to save the log file. You can use the extension W3C or ISA.
2.
Creating alerts.
Creating logs.
Using ISA Servers 225
Notes:
226 Chapter 5: 70-227 Exam
Lab 5.3
Security problems
Goal: In this exercise you will test security connections and external ports using both Netstat and Telnet.
Task
Step-by-Step Procedure
1.
1.
Open a command shell.
2.
Type Netstat -a to display all connections and listening ports.
1.
Open a command shell.
2.
Type Telnet to access to remote computer ports.
2.
Test security connections via the Netstat command.
Test security. Connections via the Telnet command.
Using ISA Servers 227
Notes:
228 Chapter 5: 70-227 Exam
Lab 5.4
Analyzing performance
Goal: In this exercise you will use alerts, reports, logs, and Performance Monitor in analyzing the performance of the ISA Server.
Task
Step-by-Step Procedure
1.
9.
Analyze ISA Server via alerts.
Go to ISA Management, right-click Monitoring Configuration - Alert - New - Alert.
10. Create the alerts you need. 11. Keep ISA Server running. Wait for about a day. 12. Check the server or array objects and view the alerts in the right detail pane.
2.
Analyze ISA Server via log files and reports.
1. Go to ISA Management, select Logs under the Monitoring Configuration object, right-click the service for which you want to log data, and then select Properties. Select whether to log to a file or a database. Configure the parameters for the selected option. 2. To create a report job, right-click Report Jobs under the Monitoring Configuration object, select New, and then select Report Job.
Using ISA Servers 229
Notes:
230 Chapter 5: 70-227 Exam
Lab 5.5
Memory caching
Goal: In this exercise you will learn how to control the total amount of RAM cached by the ISA Server.
Task
Step-by-Step Procedure
1.
1.
Go into the ISA Management console tree.
2.
Expand Cache configuration, right-click drive, and choose Properties.
3.
Change the size or location of the cache file and then click the “Set” button to confirm the changes.
Change the total amount of RAM cache.
Using ISA Servers 231
Notes:
Appendix A 233
Appendix A: I
Chapter 1: Practice Test Answers
1. You are the network administrator. Your company's network is being upgraded to Windows 2000 from NT4. You wish to replace the legacy proxy server with a more powerful system that has the same functions as the proxy server. What system should you implement? A. Implement Internet Connection Sharing (ICS). B. Implement Network Address Translation (NAT). C. Implement Active Directory on the Primary Domain Controller. D. Implement Internet Security and Acceleration Server 2000. E. Implement Dynamic Host Configuration Protocol. Answer: D
234 Appendix A: 70-227 Certification 2. You are the network administrator. Your company's network runs Windows 2000 in native mode. You found that some unknown people are trying to attack your network from the Internet. You wish to implement a firewall and use ports filtering in order to prevent people attacking your network. You also wish to perform NAT so that your internal network will not be showed over the Internet. Finally, you wish to increase the accessing speed by setting a cache server. You want to complete all tasks with less administrative effort. What should you do? A. Install ISA Server 2000 in firewall mode. Protecting the network and inspecting network traffic. B. Install ISA Server 2000 in cache mode. Providing cached objects for the internal clients. C. Install ISA Server 2000 in integrated mode. Providing secure and efficient Internet access and at the same time allows for secure processing of external requests to the internal servers. D. Install ISA Server 2000 in mixed mode. Securing Internet access and meanwhile allows for secure processing of external requests to the internal servers. E. Install ISA Server 2000 in native mode. Preventing external users to access your network by filtering specific ports. Answer: C
Appendix A 235 3. You are the network administrator. Recently, your company installed an ISA Server 2000 on a Windows 2000 Advanced Server computer, which is a member server of the domain. The computer has one 10/100 Ethernet adapter installed on it. After installing ISA Server 2000, the computer is unable to access the Internet. You ensure the Internet connectivity is configured properly. The router is working properly as well. TCP/IP is set up properly for all servers and clients in the network. How do you solve this Problem? (Choose all that apply) A. Unlock Port 8080. B. Unlock port 21. C. Install another NIC on the computer. D. Replace the current 10/100 Ethernet adapter with a faster one. E. Upgrade the computer to a domain controller. F. Unlock port 80. Answers: A,C
236 Appendix A: 70-227 Certification 4. You are the network administrator of your company. Your company's network has 2 domain controllers running Windows NT Server 3.51, 200 client computers running Windows 3.51 Workstation. In addition, there is one DHCP Server. Your company has registered the web site name with InterNIC. All external users are able to locate your web site by resolving FQDN. However, users in your company are unable to resolve internal names. What should you do? (Choose all that apply) A. Upgrade all Domain Controllers to Windows 2000 Server. Upgrade all client computers to Windows 2000 Professional. Implement Active Directory.
B. Upgrade all Domain Controllers to Windows Professional. Upgrade all client computers to Windows 2000 Server. Implement Active Directory. C. Set up a DNS Server and integrate it to the Active Directory. D. Set up a WINS Server and integrate it to the Active Directory. E. Remove the DHCP Server and install DHCP Relay Agent. Answers: A,C
Appendix A 237 5. You are the network administrator of your company. You're asked to install ISA Server 2000 on two computers. However, none of them are able to run ISA Server 2000. You realized that they do not meet all of the requirements for installing ISA Server 2000. What things should you change in order to install ISA Server 2000?
Computer A: CPU: PII 266 Memory: 256 MB Hard Disk: 10GB free space Operating System: Windows 2000 Professional
Computer B: CPU: PII 300 Memory: 96 MB Hard Disk: 1GB free space Operating System: Windows 2000 Server (with SP2) A.
On Computer A, Upgrade the memory to 512
B. On Computer A, Upgrade the OS to Windows 2000 Advanced Server C. On Computer A, Upgrade the OS to Windows 2000 Server and install SP 1 or higher. D. On Computer A, Upgrade the CPU to PII 300 or higher. E. On Computer B, Upgrade the memory to 128 or higher. F. On Computer B, release more Hard disk space in order to install ISA Server 2000. G. On Computer, Upgrade the OS to Windows Advanced Server. Answers: C,D,E
238 Appendix A: 70-227 Certification 6. You are the network administrator of your company. Your company has been attacking via hackers over the Internet. You want to prevent unauthenticated users accessing your network. You also want to prevent people scanning any port inside your network. You want to complete this task with less administrative effort. What should you do? A. Install ISA Server 2000 in cache mode. Caching all information received from external network. B. Install ISA Server 2000 in firewall mode. Runs ports filtering to block specific ports. C. Install ISA Server 2000 in integrated mode. Running both ports filtering and caching. D. Install ISA Server 2000 in protection mode. Runs packets filtering to filter specific packets. Answer: B
7. You are the network administrator of your company. Recently, you installed an ISA Sever 2000 on a computer in integrated mode for packets filtering from the Internet. After installing ISA Server 2000, all internal users are able to connect to the Internet through the ISA Server except Michael. What should you do in order to solve Michael's problem? A. Insert a PTR record with his computer's IP into the DNS primary zone. B. Insert an A record with his computer's name into the DNS primary zone. C. Put his computer's IP into the Local Address Table (LAT). D. Delete his computer's IP from the Local Address Table (LAT). E. Type "ipconfig/renew" in a sell window. Answer: C
Appendix A 239 8. You are the network administrator of your company. You have been assigned the task to modify the Local Address Table (LAT). What kind of IP address can you write into the LAT? A. Public (External) Addresses. Example: 203.191.60.48 B. Subnet mask. C. Private (Internal) Addresses. Example: 172.16.0.1 D. CNAME Records. E. MX Records. Answer: C
9. You are the network administrator of your company. Some clients in your network complain that they ate waiting so long just for receiving a web page over the Internet. You want to solve this problem with less administrative effort. What should you do? A. Enable IPX caching. B. Enable SMTP Caching. C. Enable H.323 caching. D. Enable FTP caching. E. Enable HTTP caching. Answer: E
240 Appendix A: 70-227 Certification 10. Chu is the network administrator of your company. Chu enables negative caching in ISA Server 2000. Why does Chu do that? (Choose all that apply) A. Cache the response to requests that fail, so that error messages can be returned to the clients much faster. B. Retrieve an object from the Internet with a shorter time. C. Retrieve an object even the TTL for the object has expired. D. Retrieve an object from its cache when the object is not accessible on the Internet. Answers: A,C,D
11. You are the network administrator of your company. You need to update the version of some objects in the cache of ISA Server 2000 frequently. Therefore, you try to configure scheduled download. How do you do that? A. Go into the console tree of ISA management - Cache configuration Scheduled Content Download Jobs and select New - Job. B. Go into the console tree of ISA management - Cache information Scheduled Content Download Jobs and select New - Job. C. Go into the console tree of ISA management - Cache modification Scheduled Content Download Jobs and select New - Job. D. Go into the console tree of ISA management - Cache display - Scheduled Content Download Jobs and select New - Job. Answer: A
Appendix A 241 12. You are the network administrator of your company. You want to Install the ISA Server as a member of an array. What should you do? A.
Modify the RAID-5 array.
B. Modify the Active Directory schema. C. Modify the Forest Hierarchy. D. Modify the Domains trust relationship, Answer: B
13. You are the network administrator of your company. You are planning to upgrade the exist proxy server to ISA Server 2000 standard edition on a computer running Windows 2000 Advanced Server. However, the upgrade progress fails. What is the problem? A. The computer doesn't meet the hardware requirement for ISA Server 2000. B. ISA Server 2000 cannot be installed on a Windows 2000 Advanced Server computer. C. ISA Server 2000 can only be installed on domain controllers. D. ISA Server 2000 standard edition cannot be upgraded on a computer running proxy server. Answer: D
242 Appendix A: 70-227 Certification 14. You are the network administrator of your company. You need to install ISA Server 2000 on a computer running proxy server 2.0 under Windows NT Server 4.0. What step or steps should you take in order to successfully install ISA Server 2000? (Choose all that apply) A. Enable the existing proxy services. B. Upgrade the server to Windows 2000. C. Install ISA Server 2000 after upgrading to or installing Windows 2000 Server. D. Format the hard disk, then install Windows 2000 Server. E. Disable the existing proxy services. Answers: B,C,E
15. You are the network administrator of your company. You need to install ISA Server 2000 on a computer running proxy server 2.0 under Windows 2000 Server. You realized that you must disable several services in order to install ISA Server 2000. What service or services should you disable in order to install ISA Server 2000? A. Wspsrv B. Mspadmin C. Mailalrt D. W3svc E. Winnt32 F. NBTstat G. Convert H. Net use Answer: A,B,C,D
Appendix A 243 16. You are the network administrator of your company. Your boss told you that the ISA Server in the network was unable to join an array. What should you do? (Choose all that apply) A. Ensure the DHCP server is working properly. B. Ensure the DNS server is working properly. C. Ensure the domain controller can be contacted. D. Ensure that the array members are using the proper communication configuration. E. Ensure the WINS server is working properly. Answers: C,D
244 Appendix A: 70-227 Certification 17. You are the network administrator of your company. You want to install ISA Server 2000 on a computer running Windows 2000 Advanced Server. You ensure it meets all the hardware requirements for running ISA Server 2000. However, the installation is not completed successfully. What should you do? A. Apply for Windows Service pack 1. B. Apply for ISA Server 2000 Service pack 1. C. Install DHCP Server before installing ISA Server 2000. D. Install proxy server 2.0 before installing ISA Server 2000. Answer: A
18. You are the network administrator of your company. You tried to install ISA Server 2000 on a computer. During the installation period, some errors occurred. How do you analyze those problems? A. Check the event logs in event viewer. B. Check the event logs at c:\%root%\system32\errors.log C. Restart the computer in safe mode. D. Restart the computer in debug mode. Answer: A
Appendix A 245 19. You are the network administrator of your company. You are planning to upgrade the proxy server to ISA Server 2000. You're worried about data loss after installation. What should you do in order to make sure that no data loss will occur with less administrative effort? A. Restart the computer in Active Directory Restore mode. Run ntdsutil command. B. Perform a full backup of the entire Windows operating system. C. Perform a full backup of the system32 directory. D. Perform a full backup of the Proxy Server 2.0 settings and disconnect the server from the Internet. Answer: D
20. How do you enable Active caching? A. Go into the console tree of ISA management - Cache Installation - Install cache policy - Cache Installation Properties - Active caching. B. Go into the console tree of ISA management - Cache Relationship Related cache policy - Cache Relation Properties - Active caching. C. Go into the console tree of ISA management - Cache loading - Load cache policy - Cache Loading Properties - Active caching. D. Go into the console tree of ISA management - Cache Configuration Configure cache policy - Cache configuration Properties – Active caching. Answer: D
246 Appendix A: 70-227 Certification 21. You have just completed your first installation of an ISA Server. You discover that you are not able to connect to Internet resources. What must you do before accessing the Internet is possible? Answer: You must first set up the access rules before Internet access is possible.
22. You have just completed installing and configuring your first ISA Server. Now everyone can connect to Internet resources. Which configuration is not properly configured? Answer: Make sure the LAT is configured properly and that no external addresses are included.
23. During the installation and configuration your first ISA Server you presented with several error messages. What would you consult to obtain more information on the errors? Answer: You should consult the Event logs for further information. It is also recommended that you remove and reinstall ISA Server again.
Appendix A 247 24. Your newly install ISA Server fails to join an array. What would you troubleshoot to solve this problem? Answer: Make sure the domain controller can be contacted. Also make sure that the array members are using the proper communication configuration.
25. Your new ISA Server has been working properly for the last three weeks. You now upgrade the Proxy Server and you are not able to connect to Internet resources. What would you troubleshoot to solve the problem? Answer: Proxy Server 2.0 uses port 80 for connection, while ISA Server uses port 8080. Modify the web proxy client settings accordingly.
248 Appendix A: 70-227 Certification
II
Chapter 2: Practice Test Answers
1. You are the network administrator of your company. You wish to manage the ISA Server on the server side. What should you do? A. Runs ISA Configuration MMC. B. Runs ISA Management MMC. C. Runs ISA Installation MMC. D. Runs ISA Implementation MMC. Answer: B
2. You are the network administrator of you company. Since you do not know how to use ISA Server 2000. You are also starting ISA Server for the first time. You wish to find some tips so that you can master ISA Server as soon as possible. Which tool should you run in order to learn ISA Server 2000? A. ISA Configuration Wizard. B. ISA Management Wizard. C. ISA Installation Wizard. D. ISA Getting Started Wizard. Answer: D
Appendix A 249 3. After installing ISA Server 2000, you may find the following services in computer management's services section except one of those. Which one is a non-service? A. Cache service. B. Firewall service. C. Web proxy service. D. H. 323 Gatekeeper E. Scheduled cache content download F. ISA Server control service Answer: A
4. You are the network administrator of your company. You set the configuration of basic outbound access for all clients in the network and ensure all settings are correct. However, part of the clients cannot send data to the Internet. What should you do?
A. Reset the configuration. B. Set up a NAT server. C. Set up a DHCP relay agent. D. Check the access polices on the client side. Answer: D
250 Appendix A: 70-227 Certification 5. There are three types of clients available in ISA Server 2000. What are they? (Choose all that apply) A. SecureNAT client. B. Firewall client. C. Network client. D. Web proxy client. E. VPN client. F. ISA client. Answers: A,B,D
6. You are the network administrator of your company. Clients explain that the web browsing performance is not good enough. You wish to solve this problem with less administrative effort. What should you do? A. Install ISA Server 2000 as a SecureNAT client. B. Install ISA Server 2000 as a Firewall client. C. Install ISA Server 2000 as a High performance client. D. Install ISA Server 2000 as a Web browsing client. E. Install ISA Server 2000 as a Web proxy client. Answer: E
Appendix A 251 7. You are the network administrator of your company. You installed the ISA Server 2000 as a firewall client. Recently, you found that outbound access are not allowed. What is the problem? (Choose all that apply) A. IPX packets are restricted. B. UDP packets are restricted. C. TCP packets are restricted. D. HTTP packets are restricted. E. FTP packets are restricted. Answers: B,C
8. A single client computer can deploy multiple client types at the same time. A. True B. False Answer: A
9. You are the network administrator of your company. You are troubleshooting outbound access problems, what should you check? A. Internet connection. B. Access rules settings. C. DNS settings. D. Connectivity between you and the ISA Server computer. E. Connectivity via other client types. Answers: B,D,E
252 Appendix A: 70-227 Certification 10. You are the network administrator of your company. Michael installed the ISA Server 2000 and set it as a Web proxy client. He can no longer connect to the Internet after configuring the Web proxy client. You're asked to help him. What should you do? (Choose all that apply) A. Make sure that ISA Server is having correct access rules in place. B. Ping the ISA Server to make sure that connectivity exists. C. Tracert the DHCP server to make sure that connectivity exists. D. Ping the DHCP server to make sure that connectivity exists. Answers: A,B
11. You are the network administrator of your company. Richard installed the ISA Server and set it as a Firewall client. He can no longer connect to the Internet after configuring the Firewall client. You're asked to help me. What should you do? (Choose all that apply) A. Tracert the DNS server to make sure that connectivity exists. B. Make sure that ISA Server is having correct access rules in place. C. Ping the ISA Server to make sure that connectivity exists. D. Run Upgrade Now from the Firewall client to ensure that you are using the latest version of the client software. Answer: B,D
Appendix A 253 12. What is a Perimeter network? A. A perimeter network is a big network acting as a natural network between the Internet and your network. B. A perimeter network is a big network acting as a firewall between the Internet and your network. C. A perimeter network is a small network acting as a neutral network between the Internet and your network. D. A perimeter network is a small network acting as a firewall between the Internet and your network. Answer: C
13. Michael is the network administrator. He implements web publishing, which involves publishing the servers. Why does he want to do that? A. Let external users to access the servers. B. Protect the internal network by ISA Servers. C. Protect published servers by ISA Servers. D. Restrict external users accessing the published servers. Answer: C
14. What protocols for web publishing rules? A. NTFS B. FTP C. H.323 D. HTTPS E. HTTP Answers: B,D,E
254 Appendix A: 70-227 Certification 15. You are the network administrator of your company. Your company's web sites are secured via SSL. You found that clients are unable to access the web site anymore after using SSL. What should you do? A. Ensure that the "Enable SSL listeners" check box is checked. B. Ensure that the "Disable SSL listeners" check box is unchecked. C. Ensure port 443 is opened. D. Ensure port 443 is blocked. E. Ensure Install the certificate onto the ISA Server computer via the Certificate MMC, and have the certificate issued to the corresponding web sites. Answers: A,C,E
16. You are the network administrator of your computer. You are publishing a web server that runs on the same ISA Server, you configure the rule to redirect the request to non-standard port of server's internal interface. You want to retain the maximum security. What should you do? A. Remain Kerberos V5 during redirection. B. Remain SSL during the redirection. C. Enable the "Require secure channel for published site" option. D. Check the "Require 128 bit encryption" option. E. Check the "MS-CHAP V2" option. Answers: B,C,D
Appendix A 255 17. You are the network administrator of your company. You installed NetMeeting for some of the clients in the network. Those clients explain that they're unable to use NetMeeting to interact with other people. You ensure that this is not hardware problem. What should you do? A. Check to see if H.323 gatekeeper is running. B. Check to see if H.324 gatekeeper is running. C. Check to see if M.323 gatekeeper is running. D. Configure the ISA Server as a web proxy server client. E. Configure the ISA Server as a firewall client. Answer: A
18. You are the network administrator of your company. You wish to implement an encrypted tunnel between you and those remote clients. You also want to reduce the total cost of ownership (TCO) as much as possible. Finally, you wish to complete the task with less administrative effort. What should you do? A. Implement Active Directory to centralize all resources. B. Implement ISA Server 2000 as a firewall client. C. Implement Virtual Private Network (VPN) and use L2TP. D. Implement ISA Server 2000 as a web proxy server client. Answer: C
256 Appendix A: 70-227 Certification 19. You are the network administrator of your company. You are setting up a Virtual Private Network (VPN) Server. You need to determine which VPN protocol you should use. You ensure that IPsec is supported on both server and client side. Which option should you select? A. Use L2TP over IPsec, if available. Otherwise use PPTP. B. Use PPTP over IPsec, if available. Otherwise use L2TP. C. Use PPTP over IPsec. D. Use L2TP over IPsec. Answer: D
20. Chu is the network administrator of your company. He combines three ISA Server computers that are running Windows 2000 Advanced Server into a single cluster. Why does he want to do that? A. He wants to achieve fault tolerance. B. He wants to implement Network Load Balancing (NLB). C. He wants to provide the reliability that mission critical servers needed. D. He wants to provide the performance that mission critical servers needed. Answers: A,B,C,D
Appendix A 257
III
Chapter 3: Practice Test Answers
1. You are the network administrator of your company. You installed ISA Server 2000 on a computer. You now wish to apply some security policies for the server. Which tool should you use? A. Group Policy. B. ISA Server Security Configuration Wizard. C. Local Policy. D. ISA Server Security Policy. Answer: B
2. You are the network administrator of your company. You installed ISA Server 2000 on a computer. The ISA Server is running other services like web and database. Which level of security should you apply? A. High secure level. B. Dedicated level. C. Limited services level. D. Secure level. Answer: D
258 Appendix A: 70-227 Certification 3. You are the network administrator of your company. You are applying security policies for an ISA Server 2000 computer. You wish to apply the Secure level policy. This computer is a domain controller in a domain. Which file is required at %systemroot%\security\templates folder? A. Basicsy.inf B. Basicdc.inf C. Securews.inf D. Securedc.inf E. Hisecws.inf F. Hisecdc.inf Answer: B
4. You are the network administrator of your company. You are configuring the firewall functionality of an ISA Server. You wish to use packet filter to filter some specific external packets. Which packet filter should you apply? A. Allow filters. B. Deny Filters. C. Accept Filters. D. Receive Filters. E. Block Filters. Answer: A
Appendix A 259 5. You are the network administrator of your company. You wish to secure your network. Therefore, you installed ISA Server 2000 as a firewall client. You now wish to apply additional security. What kind of filter should you use? A. External Filters. B. Internal Filters. C. Application Filters. D. Program Filters. Answer: C
6. You are the network administrator of your company. You found that some of the clients in the network are always downloading video files from the Internet. You want to prevent them downloading those video files. What filter should you use? A. Scene Filter B. Display Filter C. Video Filter D. Streaming Media Filter Answer: D
7. What is the meaning of Filter misconfiguration? A. Allow filters confliction. B. Deny filters confliction. C. Allow and Deny filters confliction. D. Allow and Deny filters redirection. Answer: C
260 Appendix A: 70-227 Certification 8. What is the first step in designing an access policy? A. Determining the numbers of access policies. B. Determining the ISA Server client mode. C. Determining the structure of the directory service infrastructure. D. Determining the structure of the network infrastructure. E. Determining the structure of the access policy. Answer: E
9. For any outgoing request, rules are processed in a predefined order. What is the correct order? IP packet filters. Routing rules. Site and Content rules. Protocol Rules. A. Site and Content rules - Protocol rules - IP Packet Filters - Routing rules B. Protocol rules - IP Packet Filters - Routing rules - Site and Content rules C. IP Packet Filters - Routing rules - Protocol rules - Site and Content rules D. Protocol rules - Site and Content rules - IP Packet Filters - Routing rules E. Routing rules - IP Packet Filters - Site and Content rules - Protocol rules Answer: D
Appendix A 261 10. You are the network administrator of your company. You are configuring the bandwidth of an ISA Server. There are two outgoing connections. Since connection1 needs more bandwidth than connection2. You wish to configure the bandwidth usage. What should you do? (Choose all that apply) A. Go into the ISA Management console tree, right click Bandwidth priorities, choose New - Bandwidth Priority. B. Go into the ISA Configuration console tree, right click Bandwidth priorities, choose New - Bandwidth Priority. C. Set the priority to 100 and assign it to connection1. D. Set the priority to 100 and assign it to connection 2. Answers: A,C
11. You are the network administrator of your company. You installed the ISA Server 2000 on a computer. You need to restrict the Internet access via this computer. What rules should you apply? A. Protocol rules. B. IP Packet rules. C. Site and Content rules. D. Routing rules. E. Domain rules. Answer: C
262 Appendix A: 70-227 Certification 12. You are the network administrator of your company. After installing the ISA Server 2000. Clients complain that they are unable to access to some web sites over the Internet. You ensure that the ISA Server 2000 allows users to access the Internet. What is the problem? A. Clients do not have the permission to access to those web sites. B. The computer running ISA Server 2000 is not connected to the Internet. C. The computer running ISA Server 2000 is crashed. D. The Site and Content rule denies access to those web sites. Answer: D
13. You are the network administrator of your company. After installing the ISA Server 2000. Clients complain that they no longer can access to the Internet. You ensure that the ISA Server 2000 allows users to access the Internet. You also ensure this is not rules configuration problem. Everything is configured properly. However, clients are still unable to access the Internet. What should you check next? A. Check all domain controllers to see if they work properly. B. Check the event viewer to see if there is any problem. C. Check the Internet connectivity. D. Check the DNS server too see if it works properly. Answer: C
Appendix A 263 14. You are the network administrator of your company. You installed the ISA Server 2000 on a computer. You now need to specify the days and times when a rule is active, which element should you configure? A. Schedules. B. Bandwidth priorities. C. Days and times. D. Days and times schedules. Answer: A
15. Before setting up ISA Server as an array member, where must you install the ISA Server schema? A. Distributed File System (DFS). B. Primary Domain Controller (PDC). C. Domain Name System (DNS). D. Active Directory (AD). Answer: D
16. Which two positions must a person are if that person wants to install the ISA Server 2000 schema in Active Directory? A. Enterprise Admin. B. Domain Admin. C. Server Operator. D. Schema Admin. E. Local Admin. Answers: A,D
264 Appendix A: 70-227 Certification 17. Michael is unable to modify the array's policy settings of ISA Servers to use an enterprise policy. What is the reason? A. The array uses only one array policy. B. The array uses more than one array policy. C. The array doesn't use any array policy. D. The array has the "No override" GPO applied. Answer: A
18. What will happen after you set the enterprise settings to array policy? (Choose all that apply) A. Previously defined array site and content rules will be saved. B. You will not be able to subsequently modify the settings to Enterprise policy. C. Previously defined array level site and content rules will be deleted. D. Previously defined array level protocol rules will be saved. E. Previously defined array level protocol rules will be deleted. Answers: B,C,E
19. Publishing rules can be created at the Enterprise level. A. True B. False Answer: B
Appendix A 265 20. You are the help desk of your company. For some reason, you have to manage a remote ISA Server computer. However, you do not have the permission to do so. What position or positions must you have in order to manage a remote ISA Server computer? (Choose all possible answers) A. Grant yourself a member of the Power Users group. B. Grant yourself a member of the Users group. C. Grant yourself a member of the Domain Local group. D. Grant yourself a member of the Administrators group. E. Grant yourself a member of the Server Operators group. Answers: D,E
266 Appendix A: 70-227 Certification
IV
Chapter 4: Practice Test Answers
1. You are the network administrator of your company. You wish to avoid the deployment of client software and configuration of client computers. What kind of client mode should you choose? A. Firewall client. B. Web Proxy client. C. SecureNAT client. D. Cache client. Answer: C
2. Which Operating systems will ISA Servers support when acting as a firewall client. (Choose all that apply) A. Windows 2000 B. Windows NT. 4.0 C. Windows NT 3.51 D. Windows NT 3.5 E. Windows ME F. Windows 95 Answers: A,B,E,F
Appendix A 267 3. What kind of operating systems support 16-bit Winsock applications? (Choose all that apply) A. Windows 95 B. Windows 98 C. Windows ME D. Windows NT 4.0 E. Windows 2000 Answers: D,E
4. During the ISA Server 2000 Firewall client installation. Some file or files will be copied to the Hard Disk. What file or files will be copied? (Choose all that apply) A. Msplcint.ini B. Mspclnt.txt C. Mspcintel.ini D. Firewall client application. E. Firewall client. Answers: B,D
268 Appendix A: 70-227 Certification 5. You are the network administrator of your company. You wish to make customized changes for a computer running ISA Firewall client. What should you do? A. Edit the Msplat.txt file. B. Edit the Msplcint.ini file. C. Create a custom client LAT file named Locallat.txt and place it in the client firewall client folder. D. Create a custom client LAT file named Remotelat.txt and place it in the client firewall client folder. E. Edit a predefined client LAT file named Latconf.txt. Answer: C
6. ISA Server holds the master copy of the client configuration file Mspclnt.ini. A. True B. False Answer: A
Appendix A 269 7. You are the network administrator of your company. You suspect the ISA Firewall client computer has some problems. You wish to check all the information about the ISA Firewall client setup, such as which client applications were installed and which services were started. In fact, you want to troubleshoot client installation and configuration. What should you do? A. Check the security log in Event Viewer. B. Check the application log in Event Viewer. C. Check the Firewallc.log resides in the Firewall client installation directory. D. Check the Fwc.log resides in the Firewall client installation directory. Answer: C
8. What is one of the common problems found with the Firewall client? A. The internal connection is very slow. B. The external connection is very slow. C. The internal connection is slow if the external connection is fast. D. The external connection is slow if the internal connection is slow. Answer: A
9. You are the network administrator of your company. You found that after installing the ISA Server 2000 in Firewall mode all Firewall clients are unable to dial out directly to the Internet. All access to the Internet goes through the ISA Server. What should you do in order to solve this problem? A. Disable the H.323 gatekeeper. B. Reinstall the ISA Server in Firewall mode. C. Open port 8080. D. Disable the Firewall client. Answer: D
270 Appendix A: 70-227 Certification 10. You are the network administrator of your company. Since secure is very important to your network. You set the client computers of the ISA Server 2000 to Digest authentication mode. All client computers are running Internet Explorer 5.0 or later in mixed mode. You found that information is not being sent properly. What is the problem? A. Client computers should run Internet Explorer 5.5 or later version. B. Client computers should run Netscape instead of Internet Explorer. C. All domain controllers should run Windows 2000. D. All domain controllers should run Windows NT 4.0. Answer: C
11. SecureNAT refers to client that does not have: A. Web proxy client software installed. B. Firewall client software installed. C. Internet Connection Sharing (ICS) installed. D. H.323 gatekeeper installed. Answer: B
12. You are the network administrator of your company. There is an ISA client computer running in SecureNAT mode in your network. The network is quite complex as there are many routers. You wish to send all outgoing traffic by way of the ISA Server. What configuration do you need to change on the client side? A. Configure the default gateway as the router's on the client's local segment. B. Configure the default gateway as the ISA Server's internal IP. C. Configure the default gateway as the DHCP Server. D. Configure the default gateway as the DNS Server. E. Create a tunnel connection between the ISA Server and the client. Answer: A
Appendix A 271 13. You are the network administrator of your company. After setting an ISA client computer as a SecureNAT client. The connection to the Internet fails. What things should you check? (Choose all that apply) A. Ensure the DNS Server setting is correct. B. Ensure the DHCP Server setting is correct. C. Ensure the WINS Server setting is correct. D. Ensure the subnet mask setting is correct. E. Ensure the default gateway setting is correct. Answers: A,E
14. You are the network administrator of your company. After setting an ISA client computer as a SecureNAT client. The ISA client computer cannot connect to some specific ports due to a connection time out. What things should you check? (Choose all that apply) A. Ensure the DNS Server setting is correct. B. Ensure there is a protocol rule that allows "Any IP traffic". C. Ensure the needed protocols are listed in the protocol definitions. D. Ensure the default gateway setting is correct. Answers: B,C
15. When packet filtering is not available, SecureNAT connections may be slow. In this case, what are you advised to do? A. Enable IP packet forwarding. B. Disable IP packet forwarding. C. Enable static packet filtering. D. Enable dynamic packet filtering. Answers: A,D
272 Appendix A: 70-227 Certification 16. You are the network administrator of your company. There is an ISA Server in the network. You want to use the ISA Server as the HTTP proxy. What must you configure? A. Configure the Active Directory to use the ISA Server as a proxy server. B. Configure the Internet Information Server (IIS) to use the ISA Server as a proxy server. C. Configure the web browser to use the ISA Server as a proxy server. D. Configure the Primary Domain Controller (PDC) to use the ISA Server as a proxy server. Answer: C
17. You are the network administrator of your company. There is an ISA Server in the network. You want to increase the performance of the web browser. What should you do? A. Configure the web browser to bypass ISA Server when connecting to local computers. B. Configure the web browser to go through ISA Server when connecting to local computers. C. Configure the web browser to bypass ISA Server when connecting to remote computers. D. Configure the web browser to go through ISA Server when connecting to remote computers. Answer: A
Appendix A 273 18. Michael is using lots of web browser helper applications like streaming media clients. These applications may not be able to make use of the proxy facility. What should you do? A. Deploy the SecureNAT client. B. Deploy the Web proxy client. C. Deploy the Firewall client. D. Deploy the SecureNAT client in conjunction with the Firewall client. E. Deploy the SecureNAT client or the Firewall client in addition to the Web Proxy client. Answer: E
19. You are the network administrator of your company. There is an ISA client computer running in SecureNAT mode in the network. The network is quite simple as there are no routers. You wish to send all outgoing traffic by way of the ISA Server. What configuration do you need to change on the client side? A. Configure the default gateway as the router's on the client's local segment. B. Configure the default gateway as the ISA Server's internal IP. C. Configure the default gateway as the DHCP Server. D. Configure the default gateway as the DNS Server. E. Create a tunnel connection between the ISA Server and the client. Answer: B
274 Appendix A: 70-227 Certification 20. Using Basic authentication on the ISA client side is not recommended. What is the reason? A. Most of the web browsers do not support this type of authentication method. B. It is not as secure as PAP authentication method. C. It sends user name and password before allowing web access. D. It sends user name and password after allowing web access. Answer: C
Appendix A 275
V
Chapter 5: Practice Test Answers
1. Generally speaking, what items are the most critical to the monitoring and reporting strategy for ISA solutions? (Choose all that apply) A. Real-time alerts. B. Performance Trends. C. Permission Settings. D. Security-related events. E. Bandwidth settings. Answers: A,B,D
2. As an ISA Server administrator. You should: (Choose all that apply) A. Configuring real-time alerting for the most critical issues. B. Receive alerts for every single issue. C. Review the event logs frequently for the less critical events. D. Build summary reports to capture information from all the logs that is the most important to your administrative work. Answers: A,C,D
276 Appendix A: 70-227 Certification 3. You are the network administrator of your company. You want to send email messages via an ISA Server. What things should you ensure first? (Choose all that apply) A. Having a merged SMTP service available. B. Having a separated SMTP service available. C. Ensure there are some packet filters that access the ISA Server from communicating with the SMTP server. D. Ensure there is no packet filter that prevents ISA Server from communicating with the SMTP server. Answers: B,D
4. Regarding the format of log files, what are the major types of those log files? (Choose all that apply) A. W3C B. COM+ C. ISA D. ODBC E. TXT F. INI G. LAT Answers: A,C,D
Appendix A 277 5. In ISA Server 2000, you can define alerts to take some actions should particular events be detected. What are the commonly used events in ISA Server? (Choose all that apply) A. Alert action failure B. Alert action success C. Asymmetric installation D. Asymmetric configuration E. Cache container initialization error F. Cache container recovery complete G. Cache file resize failure H. Cache file resize success Answers: A,C,E,F,G
6. In ISA Server 2000, you may create an alert by going into ISA Management, select the server and choose Monitoring Configuration, Alerts, New, then Alert. This will invoke the New Alert Wizard. What alert actions does it include? (Choose all that apply) A. Sending e-mail messages B. Running a program C. Reporting the event to Windows 2000 Event Viewer - Security log D. Stopping selected ISA Server services E. Starting Selected ISA Server services Answers: A,B,D,E
278 Appendix A: 70-227 Certification 7. By default, where does ISA Server save its log files? A. Installation folder. B. System32 folder. C. System folder. D. ISA folder. E. %root%\ Answer: A
8. You are the network administrator of your company. Since some intruders are trying to attack your network. You wish to configure IP intrusion detection on the ISA Server computer. Where can you configure IP intrusion detection for the ISA Server computer? A. ISA Management - Access Policy - IP Packet Filters - Properties - General. B. ISA Management - Security Policy - IP Packet Filters - Properties - Security. C. ISA Management - Access Policy - Deny Access - Properties - General. D. ISA Management - Security Policy - Deny Access - Properties - Security. Answer: A
Appendix A 279 9. What kind of attacks can ISA Server detect at the application level? (Choose all that apply) A. DNS Size overflow B. DNS Length overflow C. DNS Hostname overflow D. DNS Zone transfer from privileged ports (1-1024) E. DNS Zone transfer from high ports (above 1024) F. POP Buffer overflow G. POP Size overflow Answers: B,C,D,E,F
10. What tools can assist you to determine the cause of TCP/IP networking problems with Windows 2000 Server and ISA Server? (Choose all that apply) A. IPCONFIG B. TRACERT C. ARP D. PING E. FTP F. NBTSTAT G. NETSTAT Answers: C,D,E,F,G
280 Appendix A: 70-227 Certification 11. Netstat -a is the most commonly used command for detecting the connections. What is the reason? A. It shows the status of all activity on HTTP and FTP on the ISA client computers. B. It shows the status of all activity on HTTP and FTP on the ISA Server local system. C. It shows the status of all activity on TCP and UDP ports on the ISA client computers. D. It shows the status of all activity on TCP and UDP ports on the ISA Server local system. Answer: D
12. Telnet tool is used to verify that the computer is configured to permit connections on the particular ports. How do you know if the computer is configured to permit connections on a specific port successfully? A. There is a message box telling you the configuration is successful. B. There is no error message. C. System will make a sound to remind you. D. System will reboot automatically. Answer: B
Appendix A 281 13. Network Monitor is an optional tool included with Windows 2000 Server. This, however, is only a limited version. What is its full-featured version, which must be purchased separately? A. Advanced Network Monitor. B. Network Monitor second edition. C. Network Monitor server. D. Systems Management Server. Answer: D
14. You are the network administrator of your company. You want to use ISA Server reporting application to review reports created before. Unfortunately, you are unable to locate the reports. You ensure no one touched any of those reports. You also ensure you didn't assign any security to those reports. What is the reason? A. The reports are encrypted. B. The reports have been deleted. C. The reports do not reside on this computer. D. The reports are hidden. E. The reports have expired. Answer: C
282 Appendix A: 70-227 Certification 15. You are the network administrator of your company. You want to create and view a report. What steps will you need to go through? (Choose all that apply) A. Enable logging for the relevant ISA Server components. B. Enable logging for the relevant ISA client computers components. C. Enable reporting. D. Enable Daily and monthly report gathering. E. Change all ISA Firewall clients to other modes. F. Create scheduled report job. Answers: A,C,D,F
16. You are the network administrator of your company. You want to monitor the performance of ISA Server 2000. What program should you run? A. Performance Monitor. B. Performance Counters. C. Systems Counters. D. System Monitors E. System Manager. Answer: A
Appendix A 283 17. You are the network administrator for your company. You want to view a report created by ISA Server before. There is only one server running ISA Server in the network. You ensure you have all the permissions for accessing this computer. You also ensure no one touched this computer before. Finally, you ensure there is no hardware failure. However, you are unable to locate any report created by ISA Server. What is the problem? A. The ISA Server has crashed. B. Some intruders have attacked and deleted the reports. C. You didn't actually run a report job. D. This computer is not a member server of a domain. Answer: C
18. How do you view a report created by ISA Server 2000? A. ISA Management - Choose Report Type - Right Click the applicable report to open it. B. ISA Reporting Center - Choose Report Type - Right Click the applicable report to open it. C. ISA Manager - Choose Report Type - Right Click the applicable report to open it. D. ISA Reporter - Choose Report Type - Right Click the applicable report to open it. Answer: A
284 Appendix A: 70-227 Certification 19. You are the network administrator of your company. You want to view the critical ISA Server performance counters. Where should you view it? A. Opening ISA Server system Monitor from the ISA Server menu. B. Opening ISA Server Performance Monitor from the ISA Server menu. C. Typing sms in a shell window. D. Typing perfm in a shell window. Answer: B
20. You are the network administrator of your company. Michael is unable to save a report created by ISA Server 2000. He calls you for help. How do you save the report for him? A. ISA Management - Choose the applicable report type - Right Click the applicable report - Save as - .htm, .html B. ISA Management - Choose the applicable report type - Right Click the applicable report - Save as - .txt, .doc C. ISA Management - Choose the applicable report type - Right Click the applicable report - Save as - .isa D. ISA Management - Choose the applicable report type - Right Click the applicable report - Save as - sys Answer: A
Appendix A 285
Index 287
Index Administrator, 34, 40 Agent, 23, 235 Authentication, 50, 149, 154 Bandwidth, 112, 117, 123, 135, 144 Buffer, 278 Cache, 6, 8, 10, 12, 39, 170, 209 Cache File, 36, 192, 214, 276 Caching, 4, 11, 237, 238 Central Processing Unit (CPU), 24, 105, 108, 192, 236 Certificate, 50, 85, 155, 253 Certificate Authority (CA), 155 Challenge Handshake Authentication Protocol (CHAP), 86, 253 Client, 34, 43, 52, 69, 121, 124, 149 Cluster, 77, 96 Compact Disc Read-Only Memory (CD-ROM), 34, 206 Compact Disc-Recordable (CD-R), 34, 36, 206 Component Object Model (COM), 214, 275 Connection, 22, 135, 173, 182, 269 Default Gateway, 166 Directory, 3, 60, 127 Disable, 28, 85, 88, 172, 174, 241 DNS Server, 3, 55, 84, 136, 158, 176 DNS Zone, 195, 216 Domain Name System (DNS), 137 Dynamic Host Configuration Protocol (DHCP), 22, 232 Encryption, 51, 54 Ethernet, 23, 120, 198, 234 File Transfer Protocol (FTP), 12, 26 Filter, 104, 140, 192, 195, 258
Firewall, 4, 16, 41, 99, 108, 151 Forest, 27, 240 Gatekeeper, 7, 40, 55, 81, 129, 248 Gateway, 60 Graphical User Interface (GUI), 67 Group, 132, 256 Group Policy, 256 H.323, 7, 26, 40, 55, 86, 106, 172, 238 Hypertext Transfer Protocol (HTTP), 10, 52, 80, 164, 175, 217, 252 Internet Control Message Protocol (ICMP), 103, 105 Internet Information Services (IIS), 36, 175, 271 Internet Protocol (IP), 59 IP Address, 3, 8, 15, 26, 36, 42, 73, 92 Key, 34 Layer Two Tunneling Protocol (L2TP), 65, 73, 76, 87, 94, 254 Local Area Network (LAN), 163, 180 Local Group, 138, 264 Media, 106, 108, 133, 258 Metric, 58 Microsoft Management Console (MMC), 40 Network Basic Input/Output System (NetBIOS), 60 NTFS File System, 85, 252 Open Database Connectivity (ODBC), 186, 190, 192, 206, 214 Packet, 67, 88, 104, 120, 134, 191 Permission, 213, 274 Ping, 84, 103, 194, 197, 251 Point-to-Point Tunneling Protocol (PPTP), 65, 73, 87, 108, 255
288 Index: 70-227 Certification
Priority, 112, 135, 260
Protocol, 39, 65, 73, 77, 106, 111, 122
Protocol (PAP), 176, 273
Proxy Server, 19
RAID-5 Volume, 27, 240
Redundant Array of Independent
Disks (RAID), 27, 240
Remote Procedure Call (RPC), 106
Rules, 49, 52, 57, 61, 99, 113, 123
Secure Sockets Layer (SSL), 50, 85
Service Pack, 30
Simple Mail Transfer Protocol
(SMTP), 26, 106, 185, 193
Subnet, 26, 238
Subnet Mask, 26, 238
Time To Live (TTL), 12, 14, 26, 239
Transmission Control Protocol /
Internet Protocol (TCP/IP), 78
Uniform Resource Locator (URL),
14, 162, 207
Upgrade, 1, 20, 23, 28, 84, 234
Wide Area Network (WAN), 74
Windows Update, 51
Winsock, 17, 19, 151, 157, 161, 166
Workgroup, 34
Index 289
Other Microsoft Certification books by TotalRecall Publications InsideScoop to MCP / MCSE Certification: Exam 70-227 Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition ExamWise For MCP / MCSE Certification: Exam 70-227 Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition ExamInsight For MCP / MCSE Certification: Exam 70-210 Managing a Microsoft Windows 2000 Professional ExamInsight For MCP / MCSE Certification: Exam 70-215 Installing, Configuring, and Administering Microsoft Windows 2000 Server ExamInsight For MCP / MCSE Certification: Exam 70-216 Implementing and Administering a Microsoft Windows 2000 Network Infrastructure ExamInsight For MCP / MCSE Certification: Exam 70-217 Managing a Microsoft Directory Services Infrastructure ExamInsight For MCP / MCSE Certification: Exam 70-219 Designing a Windows 2000 Directory Services Infrastructure ExamInsight For MCP / MCSE Certification: Exam 70-220 Designing Security for a Microsoft Windows 2000 Network ExamInsight For MCP / MCSE Certification: Exam 70-221 Designing a Microsoft Windows 2000 Network Infrastructure ExamInsight For MCP / MCSE Certification: Exam 70-270 Microsoft Windows XP Professional
Money Back Book Guarantee 291
Money Back Book Guarantee This guarantee applies only to books published by TotalRecall Press! We are so confident in
our products, we are prepared to offer the following guarantee to YOU:
If you do not pass the real Cisco CCNA 640-607 certification exam after two attempts, we
will give money back!
Visit www.TotalRecallPress.com Select “Money Back Book Guarantee” for details.
Registered book purchasers who qualify will receive
1. Receive a 50% cash refund of purchase price
OR
2. Receive a free TotalRecall Press book of equal value. To qualify for this TotalRecall Press Guarantee you must meet these requirements and perform the following tasks: 1. Register your purchase at the TotalRecall Press web site www.TotalRecallPress.com 2. Fail the corresponding exam twice ( No time Limit ) 3. Contact TotalRecall Press for the RMA # and to claim this guarantee Send email to [email protected] Subject must contain your Membership # or Registration # Ship the following, to the address listed below, to claim your refund. 1. RMA # from returned email 2. Documents of exam scores for both failed attempts 3. The corresponding Certification Book you have TotalRecall Press Attn: Corby Tate 1103 Middlecreek Friendswood, TX 77546 888-992-3131 [email protected] 281-992-3131 http://www.bfqlabs.com 281-482-5390 Fax http://www.bfq.com It's a Passing day here at the BeachFront.
Thank you for using the TotalRecall Press Success Program.
Bruce Moran President
70-227 Practice Exam Purchase
70-227 Practice Exam Purchase BeachFrontQuizzer Inc. (BFQ) version 4.0 With the purchase of this book you qualify to purchase a Beachfront Quizzer Practice exam at a $20 discount. Visit www.TotalRecallPress.com for details.
Register your book purchase at www.TotalRecallPress.com Your Registration Code # = 02227-1000 System Requirements Microsoft Windows OS Workstation Product line with a minimum of 6 MB hard disk space and 16 MB RAM
Call: 281-992-3131
Good Luck with your certification!
Your Book Registration Number is EW-02227-1000
You cannot go wrong with this book because it is
GUARANTEED:
See details at www.TotalRecallPress.com