Embed Size (px)
Citation preview
Module 2: Installing and Maintaining ISA Server
Overview
Installing ISA Server 2004
Choosing ISA Server Clients
Installing and Configuring Firewall Clients
Advanced Firewall Client Configuration
Securing ISA Server 2004
Maintaining ISA Server 2004
Lesson: Installing ISA Server 2004
System and Hardware Requirements for ISA Server 2004
Installation Types and Components
Configuration Choices During Installation
How to Perform an Unattended Installation of ISA Server 2004
How to Verify an Installation of ISA Server 2004
Default Configuration for ISA Server 2004
How to Modify the ISA Server Installation
Upgrade Options from ISA Server 2000 to ISA Server 2004
System and Hardware Requirements for ISA Server 2004
Windows Server 2000 or
Windows Server 2003
Windows Server 2000 or
Windows Server 2003
CPUCPURAMRAM
256 MB 500 MHz
Hard Disk FormatHard Disk Format
NTFS
Hard Disk SpaceHard Disk Space
150 MB
InternalInternal ExternalExternal
Installation Types and Components
Configuration Choices During Installation
Practice: Installing ISA Server 2004
Installing ISA Server 2004
Internet
Den-ISA-01
Den-DC-01
How to Perform an Unattended Installation of ISA Server 2004
Why Use an Unattended Installation of ISA Server?
Modifying the Msisaund.ini File
[Setup Property Assignment]
PIDKEY=xxxxxxxxxxxxxxxxxxxxxxxxx
INTERNALNETRANGES=1 192.168.1.0-192.168.1.255
INSTALLDIR=C:\Program Files\Microsoft ISA Server
COMPANYNAME=Coho Vineyards
DONOTDELLOGS=1
DONOTDELCACHE=1
ADDLOCAL=MSFirewall_Management,MSFirewall_Services,Message_Screener,MSDE
[Setup Property Assignment]
PIDKEY=xxxxxxxxxxxxxxxxxxxxxxxxx
INTERNALNETRANGES=1 192.168.1.0-192.168.1.255
INSTALLDIR=C:\Program Files\Microsoft ISA Server
COMPANYNAME=Coho Vineyards
DONOTDELLOGS=1
DONOTDELCACHE=1
ADDLOCAL=MSFirewall_Management,MSFirewall_Services,Message_Screener,MSDE
Running an Unattended Setup
D:\Setup.exe /V” /qn FULLPATHANSWERFILE= \”c:\MSISAUND.INI\””D:\Setup.exe /V” /qn FULLPATHANSWERFILE= \”c:\MSISAUND.INI\””
How to Verify an Installation of ISA Server 2004
Verify that the ISA Server services are installed and started
Verify that the MSDE services are installed and started
Review the setup log files
Check the Application Log in the Event Viewer
Check for ISA Server Alerts
Only Administrators can modify firewall policiesOnly Administrators can modify firewall policiesTraffic is routed between the ISA Server and all other networksTraffic is routed between the ISA Server and all other networksTraffic between the Internal network, the VPN network, the VPN Quarantine network, and the Internet will use network address translation
Traffic between the Internal network, the VPN network, the VPN Quarantine network, and the Internet will use network address translation
Traffic is routed between the VPN network and the Internal networkTraffic is routed between the VPN network and the Internal network
Default Configuration for ISA Server 2004
System policy permits access to the ISA Server but access rules deny all network traffic through the ISA Server
System policy permits access to the ISA Server but access rules deny all network traffic through the ISA Server
No servers are publishedNo servers are publishedWeb Proxy requests will be retrieved directly from the InternetWeb Proxy requests will be retrieved directly from the InternetCaching is disabledCaching is disabledA rule enabling access to the Firewall Client installation share is configured if you install the Firewall Client installation files
A rule enabling access to the Firewall Client installation share is configured if you install the Firewall Client installation files
Only Administrators can modify firewall policies
Traffic is routed between the ISA Server and all other networks
Traffic between the Internal network, the VPN network, the VPN Quarantine network, and the Internet will use network address translation
Traffic is routed between the VPN network and the Internal network
System policy permits access to the ISA Server but access rules deny all network traffic through the ISA Server
No servers are published
Web Proxy requests will be retrieved directly from the Internet
Caching is disabled
A rule enabling access to the Firewall Client installation share is configured if you install the Firewall Client installation files
Practice: Verifying the Installation and Default Configuration of ISA Server 2004
Verifying the successful installation of ISA Server 2004
Examining the default installation ofISA Server 2004
Internet
Den-ISA-01
Den-DC-01
How to Modify the ISA Server Installation Options
Upgrade Options from ISA Server 2000 to ISA Server 2004
ISA Server 2000ISA Server 2000
Install ISAServer 2004Install ISA
Server 2004
ISA Server 2000ISA Server 2000
Extract the ISA Server
2000configuration
Extract the ISA Server
2000configuration
Import the ISAServer Configuration
Import the ISAServer Configuration
Install ISA Server 2004Install ISA Server 2004
In-Place UpgradeIn-Place Upgrade
MigrationMigration
Lesson: Choosing ISA Server Clients
Types of ISA Server Clients
How to Configure a SecureNAT Client
How to Configure Web Proxy Clients
Guidelines for Choosing an ISA Server Client
Types of ISA Server Clients
Improves the performance of Web requests for internal clients
Allows internet access onlyfor authenticated users
Does not require you todeploy client software
ISA Server
Internet
Web Proxy Client Firewall Client
SecureNAT Client
SecureNAT clients do not require client installation or client configurationSecureNAT clients do not require client installation or client configuration
How to Configure a SecureNAT Client
On a single subnet network, configure the IP address of the internal network interface as the SecureNAT client default gateway
On a single subnet network, configure the IP address of the internal network interface as the SecureNAT client default gateway
On a multiple subnet network, configure the IP address of the router as the SecureNAT client default gatewayOn a multiple subnet network, configure the IP address of the router as the SecureNAT client default gateway
How to Configure Web Proxy Clients
Guidelines for Choosing an ISA Server Client
If you need to… Then use…
Avoid deploying client software SecureNAT clients
Use ISA Server only forforward caching
SecureNAT or Web Proxy clients
Allow access only for authenticated clients
Firewall clients or WebProxy clients
Publish servers on yourinternal network
SecureNAT clients
Improve Web performance for non-Windows operating systems
SecureNAT or WebProxy clients
Internet
Den-ISA-01
Den-DC-01
Practice: Configuring SecureNAT and Web Proxy Clients
Configuring ISA Server to log client connections
Configuring and testing a SecureNAT client
Configuring and testing a Web Proxy client
Den-Clt-01
Lesson: Installing and Configuring Firewall Clients
How to Configure Firewall Client Settings
The Firewall Client Installation and Configuration Process
Options for Automating the Firewall Client Installation
How to Configure Firewall Client Settings
The Firewall Client Installation and Configuration Process
The Firewall Client:The Firewall Client:
Uses a common Winsock service provider that other Winsock applications use to connect to application servers
Intercepts Winsock client application calls for remote application servers and redirects the request to ISA Server
Uses a common Winsock service provider that other Winsock applications use to connect to application servers
Intercepts Winsock client application calls for remote application servers and redirects the request to ISA Server
Install the Firewall Client:Install the Firewall Client:
From the Firewall Client share on computer running ISA Server or another network shareFrom the Firewall Client share on computer running ISA Server or another network share
Practice: Installing the Firewall Client
Configuring the Firewall Client settings on ISA Server
Installing the Firewall Client
Internet
Den-ISA-01
Den-DC-01Den-Clt-01
Options for Automating the Firewall Client Installation
SMS package distributed to specific clients using SMS
SMS package distributed to specific clients using SMS
Unattended installationUnattended installation
Software package distributed using Group Policies
Software package distributed using Group Policies
Lesson: Advanced Firewall Client Configuration
Advanced Firewall Client Configuration Options
Firewall Client Configuration Files
What is the Automatic Discovery Feature?
Advanced Firewall Client Configuration Options
Locallat.txt:Locallat.txt:
A client computer-specific file that defines local addresses for that client
The client uses its own routing table, the server-specific settings, and the Locallat.txt file to determine the local IP addresses
A client computer-specific file that defines local addresses for that client
The client uses its own routing table, the server-specific settings, and the Locallat.txt file to determine the local IP addresses
Advanced Firewall Client settings:Advanced Firewall Client settings:
Can configure locally for each user and for each computer
Configure changes to Firewall Client .ini files
Can configure locally for each user and for each computer
Configure changes to Firewall Client .ini files
Firewall Client Configuration Files
Application.ini[FW_Client_App]
Disable=0
NameResolution=R
LocalBindTcpPorts=7777
LocalBindUdpPorts=7000-7022, 7100-7170
RemoteBindTcpPorts=30
RemoteBindUdpPorts=3000-3050
ServerBindTcpPorts=100-300
ProxyBindIp=80:192.168.10.20, 82:192.168.10.30
KillOldSession=1
Persistent=1
ForceCredentials=1
NameResolutionForLocalHost=L
[FW_Client_App]
Disable=0
NameResolution=R
LocalBindTcpPorts=7777
LocalBindUdpPorts=7000-7022, 7100-7170
RemoteBindTcpPorts=30
RemoteBindUdpPorts=3000-3050
ServerBindTcpPorts=100-300
ProxyBindIp=80:192.168.10.20, 82:192.168.10.30
KillOldSession=1
Persistent=1
ForceCredentials=1
NameResolutionForLocalHost=L
What Is the Automatic Discovery Feature?
Where is Lon-ISA-02?Where is Lon-ISA-02?DNS or
DHCP ServerDNS or
DHCP Server
Den-ISA-01Den-ISA-01
Query DHCP or DNSfor a WPAD entry
Query DHCP or DNSfor a WPAD entry
WPAD: Den-ISA-01WPAD: Den-ISA-01
Request Configuration File
Request Configuration File
Firewall Client ConfigurationFirewall Client Configuration
DNS orDHCP Server
DNS orDHCP Server
Den-ISA-01Den-ISA-01
Request Configuration File
Request Configuration File
Firewall Client ConfigurationFirewall Client Configuration
Practice: Configuring Automatic Discovery
Configure the ISA Server for Automatic Discovery
Configure DHCP for Automatic Discovery
Configure DNS for Automatic Discovery
Internet
Den-ISA-01
Den-DC-01DNS Server
DHCP Server
Den-Clt-01
Lesson: Securing ISA Server 2004
ISA Server and Defense in Depth
About Using Security Templates to Secure the Server
Methods for Implementing Security Updates
Guidelines for Enabling Only Required Services
How to Secure the Network Interfaces
Configuring Administrative Roles
Best Practices for Securing the Server
User educationUser educationPolicies, Procedures, & Awareness
ISA Server and Defense in Depth
Security at all levels: Increases an attacker’s risk of detection Reduces an attacker’s chance of success
Physical Security Guards, locks, tracking devicesGuards, locks, tracking devices
ACLs, encryption, EFSACLs, encryption, EFS
Application hardening, antivirusApplication hardening, antivirus
OS hardening, authentication, patch management, HIDS
OS hardening, authentication, patch management, HIDS
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Firewalls, Network AccessQuarantine Control
Firewalls, Network AccessQuarantine Control
DataData
ApplicationApplication
Operating SystemsOperating Systems
Internal NetworkInternal Network
PerimeterPerimeter
About Using Security Templates to Secure the Server
Configure one security template and then apply it to multiple computers, or reapply the template occasionally to the same computers to ensure that the security settings are not changed
Configure one security template and then apply it to multiple computers, or reapply the template occasionally to the same computers to ensure that the security settings are not changed
Use the Security Templates MMC snap-in to apply the security templates to ISA ServersUse the Security Templates MMC snap-in to apply the security templates to ISA Servers
Apply the security template through Group Policies at a domain or organizational unit levelApply the security template through Group Policies at a domain or organizational unit level
Monitor security updates is to know what security updates are available and the security issues each update is designed to fix
Monitor security updates is to know what security updates are available and the security issues each update is designed to fix
Methods for Implementing Security Updates
Use tools like Microsoft Baseline Security Analyzer, Windows Update Service, Microsoft Windows Update Services, and Systems Management Server to implement security updates
Use tools like Microsoft Baseline Security Analyzer, Windows Update Service, Microsoft Windows Update Services, and Systems Management Server to implement security updates
Implement security updates on ISA Server only after thorough evaluation and testingImplement security updates on ISA Server only after thorough evaluation and testing
Guidelines for Enabling Only Required Services
Enable only required servicesEnable only required services
Minimize the number of Windows 2000 and Windows Server 2003 built-in servicesMinimize the number of Windows 2000 and Windows Server 2003 built-in services
How to Secure the Network Interfaces
Secure the External Network Interface
Disable File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks
Disable NetBIOS over TCP/IP Disable LMHOSTS lookup Disable automatic DNS name registration
Configure the Internal Network Interface
Disable components if not required
Configuring Administrative Roles
Role Description
ISA Server Basic Monitoring
Monitor ISA Server and network activityCannot configure monitoring functionality
ISA Server Extended Monitoring
Can perform all monitoring tasksCan modify monitoring configuration
ISA Server Full Administrator Can perform all administrative tasks
ISA Server Administrative Roles
Best Practices for Securing the Server
Securing ISA ServerSecuring ISA Server
Do Not Install ISA Server on a Domain Controller
Avoid Installing an Internet Edge Server on aDomain Member
Rename the Administrator Account
Disable Unused Functionality
Apply Window Server Security Best Practices
Do Not Install ISA Server on a Domain Controller
Avoid Installing an Internet Edge Server on aDomain Member
Rename the Administrator Account
Disable Unused Functionality
Apply Window Server Security Best Practices
Practice: Securing the ISA Server
Configuring Active Directory for Securing ISA Server
Configuring Security on Den-ISA-01
Internet
Den-ISA-01
Den-DC-01Den-Clt-01
Lesson: Maintaining ISA Server 2004
About Monitoring the Server Running ISA Server
About Exporting and Importing the ISA Server Configuration
About Backing Up and Restoring the ISA Server Configuration
Remote Administration Options for ISA Server
About Monitoring the Server Running ISA Server
Task Description
Monitor Event Viewer
Includes information about service failures, application errors, and warnings
Use the ISA Server Dashboard Single interface for ISA alerts and performance
Review the ISA Server Alerts
Includes information about service conditions and error conditions
Monitor Connectivity to Network Services
Monitor connectivity to Active Directory, DNS servers, internal Web servers, and selected Internet Web servers
Monitor Server Performance
Use the pre-configured ISA Server Performance Monitor console
ISA Server monitoring tasks include
About Exporting and Importing the ISA Server Configuration
Use export and import to clone an ISA Server or to save a configuration for troubleshooting or to rollback a configuration change
Use export and import to clone an ISA Server or to save a configuration for troubleshooting or to rollback a configuration change
You can export the entire ISA Server configuration, or any individual or group of configuration settingsYou can export the entire ISA Server configuration, or any individual or group of configuration settings
Importing a configuration overwrites all settings from the exported fileImporting a configuration overwrites all settings from the exported file
About Backing Up and Restoring the ISA Server Configuration
Use back up to create a configuration file that can be used for disaster recoveryUse back up to create a configuration file that can be used for disaster recovery
Back up creates a file with the entire ISA Server configurationBack up creates a file with the entire ISA Server configuration
Restoring a back up overwrites all ISA Server settingsRestoring a back up overwrites all ISA Server settings
Remote Administration Options for ISA Server
Use remote administration to manage physically secured servers or servers in other officesUse remote administration to manage physically secured servers or servers in other offices
Use Remote Desktop or Terminal Services to manage all settings on the server running ISA Server Use Remote Desktop or Terminal Services to manage all settings on the server running ISA Server
Configure the server running ISA Server to enable Remote Desktop and configure System Policy to enable remote MMC management
Configure the server running ISA Server to enable Remote Desktop and configure System Policy to enable remote MMC management
Use the ISA Server Management MMC to manage ISA Server settings remotelyUse the ISA Server Management MMC to manage ISA Server settings remotely
Practice: Maintaining ISA Server 2004
Preparing the Client Computer for Remote Administration
Preparing ISA Server for Remote Management
Remotely administering ISA Server
Internet
Den-ISA-01
Den-DC-01Den-Clt-01
Lab: Installing and Configuring ISA Server 2004
Exercise 1: Performing an Unattended Installation of ISA Server 2004
Exercise 2: Migrating an ISA Server Configuration
Exercise 3: Securing ISA Server 2004
Den-DC-01Internet
Den-ISA-01
Den-ISA-02
