Embed Size (px)
Citation preview
Installing and Maintaining ISA Server
Planning an ISA Server Deployment
• Understand the current network infrastructure• Review company security policies• Plan the required network infrastructure• Plan for branch office installations• Plan for availability and fault tolerance• Plan for access to the Internet• Plan the ISA Server client implementation and
deployment• Plan for server publishing• Plan for VPN deployment• Plan the implementation
Network Infrastructure Requirements
• DNS
• Domain controllers
• DHCP
Domain Name System Requirements
• To connect to resources on the Internet, client computers must be able to resolve the DNS names for servers on the Internet to IP addresses
• To enable access to Internet resources, ensure that all client computers can resolve Internet DNS names
• You can use:• Internal DNS Server• External DNS Server
Domain Controller Requirements
• restrict access to Internet resources based on user accounts
• require authentication before users can access published servers
• ISA Server provides several options for authenticating the users
Dynamic Host Configuration Protocol Requirements
• DHCP is not required to support an ISA Server infrastructure
• it is highly recommended to simplify network management.
• The advantage of using DHCP is that it can provide the IPconfiguration for all the client computers on your network automatically. This can make your ISA Server deployment much more efficient.
Operating System Requirements • System and Hardware Requirements for ISA Server
2006:• ISA Server can be installed on standard, Intel/AMD-
based server hardware.Component RequirementOS Windows Server 2003 with SP1
or higher
Processor Single 733MHz Pentium III equivalent
Memory 512MB of memory
Disk Space 150MB available (for installation of ISA software)
Network Cards / ISDN Adapter / Modem
One OS-compatible card per connected network
Guidelines for Installing ISA Server, Standard Edition
• To Configure the ISA Server Network Interfaces– The Internal Interface– Perimeter Network Interfaces
Choosing an ISA Server Client
• ISA Server Client Options
• Firewall clients
• SecureNAT clients
• Web Proxy clients
What Is a Firewall Client
• The Firewall client computer uses the Firewall Client application when initiating connections to the ISA Server computer
What Is a Firewall Client
• The advantages of using Firewall clients:
• Firewall clients enable user or group based access control and logging
• When a Firewall client connects to ISA Server, the Firewall service automatically authenticates the user.
• the Firewall Client software can configure the Web Proxy browser automatically.
What Is a Firewall Client
• Must install the Firewall Client software on the client computers
• a large number of client computers in organization and have no means of automating the client installation, it will require a significant effort to deploy the clien
• The Firewall client can only be installed on Windows computers
What Is a SecureNAT Client
• Do not have Firewall Client software.• The clients must be able to route requests
for Internet resources through the ISA Server computer
• configure the default gateway on the SecureNAT clients and configure network routing, so that all traffic destined to the Internet is sent through the ISA Server computer.
What Is a SecureNAT Client
• When a SecureNAT client connects to the ISA Server computer, the request is directed first to the NAT driver, which substitutes the external IP address of the ISA Server computerfor the internal IP address of the SecureNAT client.
• The client request is then directed to the Firewall service to determine whether access is allowed.
• Finally, therequest may be filtered by application filters and other extensions.
What Is a SecureNAT Client
• SecureNAT clients have other advantages:• SecureNAT clients also provide almost as much
functionality as Firewall clients• Requests from SecureNAT clients can be passed to
application filters, which can modify the requests to enable handling of complex protocols.
• SecureNAT can use the Web Proxy service for Web access filtering and caching
• Any operating system that supports Transmission Control Protocol/Internet Protocol
• (TCP/IP) can be configured as a SecureNAT client
What Is a SecureNAT Client
• SecureNAT clients have two primary limitations
• You cannot control access to Internet resources based on users and groups
• SecureNAT clients may not be able to use all protocols
Example
Example
Located on the Branch Office
Network
The client computers must be configured with Router3 as the
default gateway.
Router3 must be configured with Router2 as the default
gateway.
Router2 must be configured to route Internet requests to
Router1.
Router1 must be configured to route Internet requests to the
ISA Server computer
Located on Main Office
Network2 or Main Office
Network1
The client computers must be configured to route all Internet
requests to Router1.
Router1 must be configured to route Internet requests to the
ISA Server computer.
What Is a Web Proxy Client?
• A Web Proxy client is a client computer that has an HTTP 1.1–compliant Web browser application and is configured to use the ISA Server computer as a Web Proxy server.
• do not have to install any software to configure Web Proxy clients.
• must configure the Web applications on the client computers to use the ISA Server computer as a proxy server
How to Configure ISA Server for Web Proxy Clients
• The first step in enabling Web Proxy clients is to configure the ISA Server computer to allow connections
from these clients.
Configuring Web Proxy Clients Manually
How to Configure Web Proxy Clients
Guidelines for Choosing ISA Server Clients
If You Need To Then Use
Avoid deploying or configuring
client software
SecureNAT clients
Use ISA Server only for accessing
Web resources using HTTP or
HTTPS
SecureNAT or Web Proxy clients
Allow access only for
authenticated clients
Firewall clients or Web Proxy clients
Publish servers that are located
on your Internal network
SecureNAT clients
Improve Web performance in an
environment with non-Windows
operating systems
Web Proxy or SecureNAT clients
Configuring the SecureNAT and Web Proxy Clients
• Configuring SecureNAT Clients to Route Internet Requests
Installing and Configuring the Firewall Client• How to Install Firewall Client• Use folder client in ISA server. Run file setup.exe
• To enable Automatic Discovery of the ISA• Server computer, select Automatically Detect The
Appropriate ISA Server Computer.
Installing and Configuring the Firewall Client
can enable or disable the Firewall Clientand configure it to detect the ISA Server computer automatically or configure the ISAServer computer manually.
Installing and Configuring the Firewall Client
• To deploy the Firewall Client to a large number of clients, choose to automate the Firewall Client installation.
• Using Active Directory Group Policy to Distribute the Firewall Client
Securing ISA Server 2006
• defense-in-depth:
• A defense-in-depth security strategy means that you use multiple levels of defense to secure your network
Securing ISA Server 2006• Policies, procedures, and awareness:• Physical security: Ensure that only authorized personnel can gain
physical access to the resources.• Perimeter:connecting point between the Internet and the internal
network is as secure as possible, options for providing this security include firewalls or multiple firewalls
• Internal networks :Even if the perimeter is secure, you must still ensure thatthe internal networks are secure for cases in which the perimeter is compromised or when the attacker is within the organization.
• Operating systems• Applications• Data
How to Secure the Network Interfaces
• To secure ISA Server, begin by securing the network interfaces connected to the server.
• Securing the External Network Interface
• Securing the Internal Network Interface
• Using Security Templates to Manage Services
• Implementing Security Templates
Maintaining ISA Server 2006
• How to Export and Import the ISA Server Configuration
• Exporting the ISA Server Configuration:
How to Export and Import the ISA Server Configuration
• Cloning a server : export a configuration from one ISA Server computer and then import the settings on another computer
• Saving a partial configuration: export and import any part of the ISA Server configuration :a single rule, an entire policy, or an entire configuration
• Sending a configuration fo troubleshooting• Rolling back a configuration change
Exporting the ISA Server Configuration
• The entire ISA Server configuration• All the connectivity verifiers, or one selected connectivity
verifier• All the networks, or one selected network• All the network sets, or one selected network set• All the network rules, or one selected network rule• All the Web chaining rules, or one selected Web
chaining rule• Cache configuration• All the content-download jobs, or one or more selected
content-download jobs• The entire firewall policy, or one selected rule
Importing the ISA Server Configuration
• Open ISA Server Management.• Select the object whose settings you want to import.
You must select the correct• type of object for the configuration file that you are using.• On the Tasks tab, click the import task. The exact name
for the task will vary,• depending on the type of object that you selected.• Select the exported .xml file and click Import.• Click Apply to apply the changes and click OK when the
changes have been• applied.
How to Back Up and Restore the ISA Server Configuration
• Open ISA Server Management and click the server name. The option to back up
• and restore the ISA Server configuration is available only when you select the
• server name.• On the Tasks tab, click Backup This ISA Server Configuration.• Enter a file name for the backup file and click Backup.• You must provide a password for the ISA Server backup• To restore the backup, click the server name in ISA Server Management.
Then• click Restore this ISA Server Configuration and select the appropriate ISA
Server• backup file.• Click Apply to apply the changes and click OK when the changes have
been• applied.
