70 350 implementing microsoft internet security and accelera

1. PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright 2005 by Microsoft Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number 2004118212 Printed and bound in the United States of America. 1 2 3 4 5 6 7 8 9QWT9 8 7 6 5Distributed in Canada by H.B. Fenn and Company Ltd. A CIP catalogue record for this book is available from the British Library. Microsoft Press books are available through booksellers and distributors worldwide. For further information about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/learning/. Send comments to [email protected]. Microsoft, Active Directory, ActiveSync, FrontPage, Microsoft Press, MSDN, MSN, Outlook, PowerPoint, SharePoint, Visual Basic, Visual Studio, Win32, Windows, Windows Mobile, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Product Planner: Martin DelRe Content Development Manager: Lori Kane Project Manager: Julie Pickering Project Editor: Susan McClung Technical Editor: Kurt Dillard Technologist: Colin Lyth Copy Editor: Peter Tietjen Proofreaders: Jan Cocker, Cindy Gearhart, and Kiren Valjee Indexer: Jack LewisBody Part No. X11-10416

2. As always, I dedicate this book to the three wonderful women in my life: my wife, Rhonda, and my daughters, Angela and Amanda. Stan ReimerTo my beautiful and lovely wife, Oksana, and my fantastic son, Rooslan. You make this all possible. Orin Thomas 3. About the Authors Stan Reimer, Microsoft Certified System Engineer (MCSE), and Microsoft Certified Trainer (MCT), is the president of SR Technical Services based in Winnipeg, Manitoba. Stan works as a consultant and trainer specializing in Microsoft ISA Server, Microsoft Exchange Server, and Active Directory design and implementation. Stan has worked as a consultant with some of the largest corporations in Canada, as well as some of the smallest. He is the co-author of Active Directory for Microsoft Windows Server 2003 Technical Reference, published by Microsoft Press, and also authors courseware and security clinics for Microsoft Learning. In the summer, Stan finds hitting the road on his motorcycle or hitting golf balls on a golf course to be excellent therapy. In the winter, he just works, because it is too cold in Winnipeg to do anything else. Orin Thomas is a writer, editor, trainer, and systems administrator who works for the certification advice Web site Certtutor.net. His work in IT has been varied: he has done everything from providing first-level networking support to a university department to managing mission-critical servers for one of Australias largest companies. He has co-authored several MCSA/MCSE self-paced training kits for Microsoft Learning. He holds a variety of certifications, a bachelors degree in science with honors from the University of Melbourne, and is currently working toward the completion of a Ph.D in Philosophy of Science. 4. Contents at a Glance Part 11 2 3 4 5 6 7 8 9 10 11 12 Part 213 14 15 16 17 18 19Learn at Your Own Pace Introduction to ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Installing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Securing and Maintaining ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . 3-1 Installing and Managing ISA Server Clients . . . . . . . . . . . . . . . . . . . . . . 4-1 Enabling Secure Internet Access with ISA Server 2004 . . . . . . . . . . . . . 5-1 Implementing ISA Server Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Configuring ISA Server as a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Implementing ISA Server Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Integrating ISA Server 2004 and Exchange Server . . . . . . . . . . . . . . . . . 9-1 Configuring Virtual Private Networks for Remote Clients and Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Implementing Monitoring and Reporting . . . . . . . . . . . . . . . . . . . . . . . 11-1 Implementing ISA Server 2004, Enterprise Edition . . . . . . . . . . . . . . . 12-1Prepare for the Exam Planning and Installing ISA Server 2004 (1.0) . . . . . . . . . . . . . . . . . . . 13-3 Installing and Configuring Client Computers (2.0) . . . . . . . . . . . . . . . . 14-1 Configuring and Managing ISA Server 2004 (3.0) . . . . . . . . . . . . . . . . 15-1 Configuring Web Caching (4.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1 Configuring Firewall Policy (5.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1 Configuring and Managing Remote Network Connectivity (6.0) . . . . . . 18-1 Monitoring and Reporting ISA Server 2004 Activity (7.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1vii 5. viiiContents at a GlancePractices Installing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-29 Securing the Computer Running ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14 Securing ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-24 Maintaining ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-34 Configuring SecureNAT and Web Proxy Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-25 Installing and Configuring Firewall Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-43 Configuring ISA Server as a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-26 Configuring Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-38 Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-45 Configuring Access Rules for Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-56 Configuring Caching and Cache Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-26 Configuring Content Download Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-36 Configuring Multiple Networking on ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-20 Implementing Network Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33 Configuring Intrusion Detection and IP Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . .7-43 Configuring an HTTP Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-61 Configuring DNS for Web and Server Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-9 Configuring Web Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-29 Configuring Secure Web Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-42 Configuring Server Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-59 Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-71 Configuring ISA Server to Secure SMTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-19 Configuring ISA Server to Secure OWA Client Connections . . . . . . . . . . . . . . . . . . . . . .9-34 Configuring ISA Server to Secure Outlook Client Connections . . . . . . . . . . . . . . . . . . .9-47 Configuring Virtual Private Networking for Remote Clients . . . . . . . . . . . . . . . . . . . . 10-29 Configuring Virtual Private Networking for Remote Sites . . . . . . . . . . . . . . . . . . . . . 10-44 Configuring VPN Quarantine Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-61 Configuring and Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-24 Configuring Session and Connectivity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-36 Configuring ISA Server Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-54 Installing a Configuration Storage Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-48 Configuring Enterprise and Array Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-57 Installing ISA Server 2004, Enterprise Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-62 6. Contents at a GlanceixTables Table 1-1: New Features in ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19 Table 1-2: ISA Server Monitoring Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36 Table 2-1: ISA Server 2004 Hardware Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15 Table 2-2: Msisaund.ini Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26 Table 2-3: ISA Server Unattended Setup Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 2-28 Table 3-1: Services Required for ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 Table 3-2: Optional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 Table 3-3: ISA Server Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15 Table 3-4: System Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18 Table 3-5: ISA Server Roles and Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22 Table 4-1: Comparing the ISA Server Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 Table 4-2: Guidelines for Choosing ISA Server Clients . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 Table 4-3: Configuring Network Settings for SecureNAT Clients . . . . . . . . . . . . . . . . . 4-13 Table 4-4: ISA Server Firewall Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . 4-34 Table 4-5: Application.ini File Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41 Table 5-1: ISA Server Internet Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 Table 5-2: Configuring Dial-Up Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25 Table 5-3: Access Rule Element Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29 Table 5-4: Protocol Element Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31 Table 5-5: Network Object Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36 Table 5-6: Authentication Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45 Table 5-7: Access Rule Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49 Table 6-1: ISA Server Caching Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8 Table 6-2: Advanced Caching Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16 Table 6-3: Cache Rule Options and the Default Cache Rule . . . . . . . . . . . . . . . . . . . . 6-18 Table 6-4: Configuring Content Retrieval Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20 Table 6-5: Configuring Content Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21 Table 6-7: Configuring HTTP Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23 Table 6-8: Configuring FTP Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23 Table 6-9: Configuring Download Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-32 Table 6-10: Configuring Content Download Job Details . . . . . . . . . . . . . . . . . . . . . . . . 6-34 Table 6-11: Configure Content Download Job Caching . . . . . . . . . . . . . . . . . . . . . . . . 6-35 Table 7-1: ISA Server Default Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15 7. xContents at a GlanceTable 7-2: ISA Server Default Network Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-18 Table 7-3: Firewall Policies Applied by the Internet-Edge Template . . . . . . . . . . . . . . .7-29 Table 7-4: ISA Server Intrusion-Detection Options . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-37 Table 7-5: Configuring HTTP Policy General Properties . . . . . . . . . . . . . . . . . . . . . . . .7-51 Table 7-6: HTTP 1.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-52 Table 7-7: How ISA Server Evaluates Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-54 Table 7-8: Application Signatures for Common Applications . . . . . . . . . . . . . . . . . . . .7-60 Table 8-1: Web Publishing Rule Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . .8-13 Table 8-2: Web Site Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-24 Table 8-3: Server Publishing Rule Configuration Options . . . . . . . . . . . . . . . . . . . . . . .8-48 Table 8-4: Port Override Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-51 Table 9-1: Supported SMTP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-8 Table 9-2: Configuring the SMTP Message Screener . . . . . . . . . . . . . . . . . . . . . . . . . .9-13 Table 9-3: RPC over HTTP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-44 Table 10-1: Comparing PPTP and L2TP/IPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-8 Table 10-2: Site-to-Site VPN Configuration Components . . . . . . . . . . . . . . . . . . . . . 10-33 Table 10-3: Comparing Site-to-Site Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . 10-35 Table 10-4: Remote-Site VPN Gateway Configuration Components . . . . . . . . . . . . . 10-43 Table 11-1: ISA Server Monitoring Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-4 Table 11-2: ISA Server Management Console Dashboard Nodes . . . . . . . . . . . . . . . . .11-6 Table 11-3: ISA Server Performance Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10 Table 11-4: Alert Event Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-19 Table 11-5: Configuring an Alert Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-21 Table 11-6: Session Filtering Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-32 Table 11-7: Connectivity Monitoring Configuration Options . . . . . . . . . . . . . . . . . . . 11-35 Table 11-8: ISA Server Log Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-42 Table 11-9: Configuring the ISA Server Log Summaries . . . . . . . . . . . . . . . . . . . . . . 11-49 Table 12-1: ISA Server Enterprise Edition Unattended Installation Files . . . . . . . . . 12-62Troubleshooting Labs Troubleshooting Lab Troubleshooting Lab Troubleshooting Lab Troubleshooting Lab Troubleshooting Lab Troubleshooting Lab................................................... ................................................... ................................................... ................................................... ................................................... ...................................................3-39 5-62 5-71 7-66 8-76 9-50 8. Contents at a GlancexiCase Scenario Exercises Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37 Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-46 Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46 Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-51 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-70 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-45 Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-65 Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-73 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-75 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-86 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-49 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-59 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-69 Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-77 Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-58 Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-66 Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-72 Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-81 9. Contents About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxix Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix About the CD-ROM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx Features of This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxiii Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxiii Hardware Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv Setup Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv The Microsoft Certified Professional Program . . . . . . . . . . . . . . . . . . . . . . . . xxxvii Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix Part 11Learn at Your Own Pace Introduction to ISA Server 20041-3Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Lesson 1: Overview of ISA Server Functionality . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 How ISA Server WorksAn Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 How ISA Server Works as a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 How ISA Server Enables Secure Internet Access . . . . . . . . . . . . . . . . . . . . . 1-9 How ISA Server Enables Internal Resource Publishing . . . . . . . . . . . . . . . . 1-11 How ISA Server Works as a VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16 Lesson 2: Overview of ISA Server 2004 Editions and Versions . . . . . . . . . . . . 1-17 Differences Between ISA Server Standard Edition and Enterprise Edition . . 1-17 Differences Between ISA Server 2004 and ISA Server 2000 . . . . . . . . . . . 1-19 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21 Lesson 3: Explaining ISA Server Deployment Scenarios . . . . . . . . . . . . . . . . . 1-22 How ISA Server Works as an Internet-Edge Firewall . . . . . . . . . . . . . . . . . . 1-22 How ISA Server Works as a Back-End Firewall . . . . . . . . . . . . . . . . . . . . . . 1-24 How ISA Server Works as a Branch Office Firewall . . . . . . . . . . . . . . . . . . 1-25 How ISA Server Works as an Integrated Firewall, Proxy, and Caching Server 1-26 How ISA Server Works as a Proxy- and Caching-Only Server . . . . . . . . . . . . 1-27xiii 10. xivTable of ContentsLesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30 Lesson 4: Overview of ISA Server 2004 Administration . . . . . . . . . . . . . . . . . . 1-31 The ISA Server Administration Process . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31 ISA Server Management Console Features . . . . . . . . . . . . . . . . . . . . . . . 1-34 ISA Server Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37 Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-38 Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40 Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-412Installing ISA Server 20042-1Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Lesson 1: Planning an ISA Server Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 The ISA Server Deployment Planning Process . . . . . . . . . . . . . . . . . . . . . . . 2-3 Network Infrastructure Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 Server Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13 Guidelines for Capacity Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18 Lesson 2: Installing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19 ISA Server 2004 Installation Preparation Checklist . . . . . . . . . . . . . . . . . . 2-19 Guidelines for Installing ISA Server, Standard Edition . . . . . . . . . . . . . . . . 2-20 How to Verify a Successful ISA Server Installation . . . . . . . . . . . . . . . . . . . 2-25 How to Perform an Unattended Installation of ISA Server 2004 . . . . . . . . . 2-26 Guidelines for Troubleshooting an ISA Server Installation . . . . . . . . . . . . . 2-28 Practice: Installing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32 Lesson 3: Overview of the ISA Server 2000 Migration Process . . . . . . . . . . . . 2-33 How the ISA Server 2000 In-Place Upgrade Process Works . . . . . . . . . . . . 2-33 How an ISA Server 2000 Configuration Migration Works . . . . . . . . . . . . . . 2-34 Ways to Migrate Routing and Remote Access VPN to ISA Server 2004 . . . . 2-35 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36 Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37 Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37 11. Table of ContentsxvExam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38 Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39 Case Scenario Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-423Securing and Maintaining ISA Server 20043-1Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Lesson 1: Securing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 How to Harden the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Practice: Securing the Computer Running ISA Server . . . . . . . . . . . . . . . . . 3-14 How to Secure the ISA Server Configuration . . . . . . . . . . . . . . . . . . . . . . 3-15 Practice: Securing ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27 Lesson 2: Maintaining ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28 How to Export and Import the ISA Server Configuration . . . . . . . . . . . . . . 3-28 How to Back Up and Restore the ISA Server Configuration . . . . . . . . . . . . 3-31 How to Implement Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . 3-32 Practice: Maintaining ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . 3-34 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-36 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-37 Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38 Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38 Exercise 1: Preparing the Workstation for Remote Administration . . . . . . . . 3-39 Exercise 2: Troubleshooting Remote Administration . . . . . . . . . . . . . . . . . 3-40 Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41 Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-424Installing and Managing ISA Server Clients4-1Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Lesson 1: Choosing an ISA Server Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 ISA Server Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11 Lesson 2: Configuring the SecureNAT and Web Proxy Clients . . . . . . . . . . . . . 4-12 How to Configure SecureNAT Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 How to Configure Web Proxy Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 How to Troubleshoot SecureNAT and Web Proxy Clients . . . . . . . . . . . . . . . 4-23 12. xviTable of ContentsPractice: Configuring SecureNAT and Web Proxy Clients . . . . . . . . . . . . . . . 4-25 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27 Lesson 3: Installing and Configuring the Firewall Client . . . . . . . . . . . . . . . . . . 4-28 How to Install Firewall Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28 How to Automate Firewall Client Installation . . . . . . . . . . . . . . . . . . . . . . . 4-30 How to Configure ISA Server for Firewall Clients . . . . . . . . . . . . . . . . . . . . 4-33 Advanced Firewall Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38 Practice: Installing and Configuring Firewall Clients . . . . . . . . . . . . . . . . . . 4-43 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-44 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-45 Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46 Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47 Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-475Enabling Secure Internet Access with ISA Server 20045-1Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Lesson 1: Enabling Secure Access to Internet Resources . . . . . . . . . . . . . . . . . 5-3 What Is Secure Access to Internet Resources? . . . . . . . . . . . . . . . . . . . . . . 5-3 Guidelines for Designing an Internet Usage Policy . . . . . . . . . . . . . . . . . . . . 5-5 How ISA Server Enables Secure Access to Internet Resources . . . . . . . . . . 5-8 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9 Lesson 2: Configuring ISA Server as a Proxy Server . . . . . . . . . . . . . . . . . . . . 5-11 What Is a Proxy Server? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11 How to Configure ISA Server as a Proxy Server . . . . . . . . . . . . . . . . . . . . . 5-15 How to Configure Web and Firewall Chaining . . . . . . . . . . . . . . . . . . . . . . . 5-17 How to Configure Dial-Up Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24 Practice: Configuring ISA Server as a Proxy Server . . . . . . . . . . . . . . . . . . 5-26 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28 Lesson 3: Configuring Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . 5-29 What Are Access Rule Elements? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29 How to Configure Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . 5-30 Practice: Configuring Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . 5-38 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40 13. Table of ContentsxviiLesson 4: Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . . 5-41 ISA Server Authentication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-41 How to Configure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44 Practice: Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . 5-45 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47 Lesson 5: Configuring Access Rules for Internet Access . . . . . . . . . . . . . . . . . 5-48 What Are Access Rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-48 How to Configure Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49 Troubleshooting Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-55 Practice: Configuring Access Rules for Internet Access . . . . . . . . . . . . . . . 5-56 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-59 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-60 Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61 Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61 Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-64 Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-64 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-656Implementing ISA Server Caching6-1Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Lesson 1: Caching Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 What Is Caching? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 How Caching Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Caching Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 What Are Content Download Jobs? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 How Caching Is Implemented in ISA Server 2004 . . . . . . . . . . . . . . . . . . . 6-7 How ISA Server Restricts Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8 What Is Web Chaining and Caching? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 Lesson 2: Configuring Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 How to Enable Caching and Configure Cache Drives . . . . . . . . . . . . . . . . . 6-13 How to Configure Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 What Are Cache Rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17 How to Create and Manage Cache Rules . . . . . . . . . . . . . . . . . . . . . . . . . 6-18 Guidelines for Troubleshooting Caching . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25 Practice: Configuring Caching and Cache Rules . . . . . . . . . . . . . . . . . . . . 6-26 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-29 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-30 14. xviiiTable of ContentsLesson 3: Configuring Content Download Jobs . . . . . . . . . . . . . . . . . . . . . . . . 6-31 How to Configure Content Download Jobs . . . . . . . . . . . . . . . . . . . . . . . . 6-31 How to Manage Content Download Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . 6-35 Practice: Configuring Content Download Jobs . . . . . . . . . . . . . . . . . . . . . . 6-36 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-37 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-38 Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39 Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40 Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40 Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-417Configuring ISA Server as a Firewall7-1Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Lesson 1: Introduction to ISA Server as a Firewall . . . . . . . . . . . . . . . . . . . . . . 7-3 What Is Packet Filtering? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 What Is Stateful Filtering? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 What Is Application-Layer Filtering? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 What Is Intrusion Detection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10 Lesson 2: Configuring Multiple Networking on ISA Server . . . . . . . . . . . . . . . . 7-12 ISA Server Support for Multiple Networks . . . . . . . . . . . . . . . . . . . . . . . . . 7-12 Default Networks Enabled in ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15 How to Create and Modify Network Objects . . . . . . . . . . . . . . . . . . . . . . . 7-16 How to Configure Network Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17 Practice: Configuring Multiple Networking on ISA Server . . . . . . . . . . . . . . 7-20 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23 Lesson 3: Implementing Perimeter Networks and Network Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24 What Are Perimeter Networks? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24 What Are Network Templates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28 How to Implement Network Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29 Practice: Implementing Network Templates . . . . . . . . . . . . . . . . . . . . . . . 7-33 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-36 15. Table of ContentsxixLesson 4: Configuring Intrusion Detection and IP Preferences . . . . . . . . . . . . . 7-37 Intrusion-Detection Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . 7-37 How to Configure Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-39 IP Preferences Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-40 How to Configure IP Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-41 Practice: Configuring Intrusion Detection and IP Preferences . . . . . . . . . . . 7-43 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-44 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-45 Lesson 5: Implementing Application and Web Filtering . . . . . . . . . . . . . . . . . . 7-46 What Are Application Filters? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46 What Are Web Filters? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-48 How the HTTP Web Filter Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-49 How to Configure a HTTP Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-50 Practice: Configuring an HTTP Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . 7-61 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-63 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-64 Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-65 Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-67 Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-67 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-688Implementing ISA Server Publishing8-1Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Lesson 1: Introduction to Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 What Are Web Publishing Rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 What Are Server Publishing Rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Considerations for Configuring DNS for Web and Server Publishing . . . . . . . 8-6 Practice: Configuring DNS for Web and Server Publishing . . . . . . . . . . . . . . 8-9 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11 Lesson 2: Configuring Web Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . 8-13 Components of a Web Publishing Rule Configuration . . . . . . . . . . . . . . . . . 8-13 How to Configure Web Listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14 How to Configure Path Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19 How to Configure Link Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21 How to Configure Web Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23 Practice: Configuring Web Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . 8-29 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32 16. xxTable of ContentsLesson 3: Configuring Secure Web Publishing Rules . . . . . . . . . . . . . . . . . . . 8-33 Components of a Secure Web Publishing Rule Configuration . . . . . . . . . . . 8-33 How to Install Digital Certificates on ISA Server . . . . . . . . . . . . . . . . . . . . 8-36 How to Configure SSL Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-37 How to Configure SSL Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39 How to Configure a New Secure Web Publishing Rule . . . . . . . . . . . . . . . . 8-39 Practice: Configuring Secure Web Publishing Rules . . . . . . . . . . . . . . . . . . 8-42 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-45 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-46 Lesson 4: Configuring Server Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . 8-47 Components of a Server Publishing Rule Configuration . . . . . . . . . . . . . . . 8-47 How to Configure a Server Publishing Rule . . . . . . . . . . . . . . . . . . . . . . . . 8-49 Server Publishing Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-52 Guidelines for Troubleshooting Web and Server Publishing . . . . . . . . . . . . . 8-58 Practice: Configuring Server Publishing Rules . . . . . . . . . . . . . . . . . . . . . . 8-59 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-61 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-62 Lesson 5: Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . . 8-63 How Authentication and Web Publishing Rules Work Together . . . . . . . . . . 8-63 ISA Server Web Publishing Authentication Scenarios . . . . . . . . . . . . . . . . . 8-64 How to Implement RADIUS Server for Authentication . . . . . . . . . . . . . . . . . 8-67 How to Implement SecurID for Authentication . . . . . . . . . . . . . . . . . . . . . . 8-70 Practice: Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . 8-71 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-73 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-74 Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-75 Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-76 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-78 Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-78 Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-79 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-799Integrating ISA Server 2004 and Exchange Server9-1Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Lesson 1: Configuring ISA Server to Secure SMTP Traffic . . . . . . . . . . . . . . . . . 9-3 Known SMTP Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 How to Configure ISA Server to Secure SMTP Traffic . . . . . . . . . . . . . . . . . . 9-5 How to Configure the SMTP Application Filter . . . . . . . . . . . . . . . . . . . . . . . 9-8 How to Implement SMTP Message Screener . . . . . . . . . . . . . . . . . . . . . . 9-11 Guidelines for Implementing SMTP Message Screener . . . . . . . . . . . . . . . 9-16 17. Table of ContentsxxiPractice: Configuring ISA Server to Secure SMTP Traffic . . . . . . . . . . . . . . 9-19 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25 Lesson 2: Configuring ISA Server to Secure Web Client Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26 Known Web Client Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26 How to Configure ISA Server to Enable Outlook Web Access Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28 How to Configure Forms-Based Authentication . . . . . . . . . . . . . . . . . . . . . 9-30 How to Configure ISA Server to Enable Access for Other Web Clients . . . . . 9-33 Practice: Configuring ISA Server to Secure OWA Client Connections . . . . . . 9-34 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-36 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37 Lesson 3: Configuring ISA Server to Secure Outlook Client Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-38 Known Outlook Client Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-39 How to Configure ISA Server to Secure Outlook RPC Connections . . . . . . . 9-40 What Is RPC over HTTP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-43 How to Configure RPC-over-HTTP Connectivity . . . . . . . . . . . . . . . . . . . . . . 9-44 How to Configure E-Mail Access for POP3 and IMAP4 Clients . . . . . . . . . . . 9-46 Practice: Configuring ISA Server to Secure Outlook Client Connections . . . . 9-47 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-48 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-49 Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-49 Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-50 Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-54 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5510Configuring Virtual Private Networks for Remote Clients and Networks10-1Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Lesson 1: Planning a Virtual Private Networking Infrastructure . . . . . . . . . . . . . 10-4 What Is Virtual Private Networking? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 VPN Protocol Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7 VPN Authentication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8 How VPN Quarantine Control Is Used to Enforce Remote-Access Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10 How Virtual Private Networking Is Implemented Using ISA Server 2004 . . 10-11 Guidelines for Planning a VPN Infrastructure . . . . . . . . . . . . . . . . . . . . . . 10-12 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14 18. xxiiTable of ContentsLesson 2: Configuring Virtual Private Networking for Remote Clients . . . . . . . 10-16 How to Configure VPN Client Access . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16 How to Configure VPN Address Assignment . . . . . . . . . . . . . . . . . . . . . . 10-20 How to Configure VPN Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23 How to Configure VPN Connections from Client Computers . . . . . . . . . . . 10-27 Guidelines for Troubleshooting VPN Client Connections . . . . . . . . . . . . . . 10-28 Practice: Configuring Virtual Private Networking for Remote Clients . . . . . 10-29 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-30 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-32 Lesson 3: Configuring Virtual Private Networking for Remote Sites . . . . . . . . . 10-33 Configuring a Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-33 What Are Site-to-Site VPNs? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-34 Guidelines for Choosing a VPN Tunneling Protocol . . . . . . . . . . . . . . . . . . 10-34 How to Configure a Remote-Site Network . . . . . . . . . . . . . . . . . . . . . . . . 10-36 How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode . . . . . . . . . 10-39 How to Configure Network and Access Rules for Site-to-Site VPNs . . . . . . 10-40 How to Configure the Remote-Site VPN Gateway Server . . . . . . . . . . . . . . 10-42 Guidelines for Troubleshooting Site-to-Site VPNs . . . . . . . . . . . . . . . . . . . 10-43 Practice: Configuring Virtual Private Networking for Remote Sites . . . . . . . 10-44 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-47 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-48 Lesson 4: Configuring VPN Quarantine Control . . . . . . . . . . . . . . . . . . . . . . . 10-50 What Is Network Quarantine Control? . . . . . . . . . . . . . . . . . . . . . . . . . . 10-50 How Network Quarantine Control Is Implemented Using ISA Server . . . . . 10-51 How to Prepare the Client-Side Script . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-53 How to Configure VPN Clients Using Connection Manager . . . . . . . . . . . . 10-55 How to Prepare the Listener Component . . . . . . . . . . . . . . . . . . . . . . . . 10-56 How to Enable Quarantine Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-57 How to Configure Internet Authentication Server for Network Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-59 How to Configure Quarantined VPN Client-Access Rules . . . . . . . . . . . . . 10-60 Practice: Configuring VPN Quarantine Control . . . . . . . . . . . . . . . . . . . . . 10-61 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-67 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-68 Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-69 Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-69 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-70 19. Table of ContentsxxiiiExam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-71 Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-71 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7211Implementing Monitoring and Reporting11-1Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Lesson 1: Planning a Monitoring and Reporting Strategy . . . . . . . . . . . . . . . . . 11-3 Why You Should Implement Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 ISA Server Monitoring Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Guidelines for Planning a Monitoring and Reporting Strategy . . . . . . . . . . . 11-6 ISA Server Performance and Service Monitoring . . . . . . . . . . . . . . . . . . . . 11-9 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13 Lesson 2: Configuring and Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . 11-15 What Are Alerts? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15 How to Configure Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17 Guidelines for Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23 Practice: Configuring and Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . 11-24 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-28 Lesson 3: Configuring Session and Connectivity Monitoring . . . . . . . . . . . . . . 11-29 What Is Session Monitoring? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-29 How to Monitor Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30 What Is Connectivity Monitoring? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-34 How to Configure Connectivity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 11-34 Practice: Configuring Session and Connectivity Monitoring . . . . . . . . . . . . 11-36 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-38 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-39 Lesson 4: Configuring Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . 11-40 What Is ISA Server Logging? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-40 How to Configure Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-41 How to View ISA Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-44 What Are ISA Server Reports? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-47 How to Configure ISA Server Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-48 Practice: Configuring ISA Server Reporting . . . . . . . . . . . . . . . . . . . . . . . 11-54 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-55 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-57 Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-59 Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-59 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-61 20. xxiv12Table of ContentsImplementing ISA Server 2004, Enterprise Edition12-1Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 Lesson 1: ISA Server 2004 Enterprise Edition Overview . . . . . . . . . . . . . . . . . 12-3 Why Deploy ISA Server, Enterprise Edition? . . . . . . . . . . . . . . . . . . . . . . . 12-3 How Does ISA Server, Enterprise Edition, Store Configuration Information? . 12-5 ISA Server Enterprise Edition Configuration Components . . . . . . . . . . . . . . 12-8 How Enterprise Policies and Array Policies Work . . . . . . . . . . . . . . . . . . . 12-11 How Enterprise Edition Integrates with Network Load Balancing . . . . . . . . 12-13 How Enterprise Edition Enables Virtual Private Networking . . . . . . . . . . . 12-15 How Enterprise Edition Enables Distributed Caching Using CARP . . . . . . . 12-15 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-18 Lesson 2: Planning an ISA Server 2004 Enterprise Edition Deployment . . . . . 12-20 ISA Server Enterprise Edition Deployment Scenarios . . . . . . . . . . . . . . . . 12-20 Guidelines for Planning the Configuration Storage Server Deployment . . . 12-22 Guidelines for Planning Enterprise and Array Policy Configuration . . . . . . . 12-24 Guidelines for Planning for Centralized Monitoring and Management . . . . 12-26 Guidelines for Planning a Back-to-Back Firewall Deployment . . . . . . . . . . . 12-27 Guidelines for Planning a Branch-Office Deployment . . . . . . . . . . . . . . . . 12-35 How Migrating from ISA Server 2000, Enterprise Edition, Works . . . . . . . 12-38 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-39 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-41 Lesson 3: Implementing ISA Server 2004, Enterprise Edition . . . . . . . . . . . . 12-43 Requirements for Installing Enterprise Edition . . . . . . . . . . . . . . . . . . . . 12-43 How to Install Configuration Storage Server . . . . . . . . . . . . . . . . . . . . . . 12-45 Practice: Installing a Configuration Storage Server . . . . . . . . . . . . . . . . . 12-48 How to Configure Enterprise Policies and Networks . . . . . . . . . . . . . . . . . 12-50 How to Configure Arrays and Array Policies . . . . . . . . . . . . . . . . . . . . . . . 12-53 Practice: Configuring Enterprise and Array Policies . . . . . . . . . . . . . . . . . 12-57 How to Install ISA Server 2004, Enterprise Edition . . . . . . . . . . . . . . . . . 12-60 Practice: Installing ISA Server 2004, Enterprise Edition . . . . . . . . . . . . . . 12-62 How to Configure NLB and CARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-65 Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-70 Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-71 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-73 Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-74 Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-74 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-75 21. Table of ContentsPart 213xxvPrepare for the Exam Planning and Installing ISA Server 2004 (1.0)13-3Testing Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Plan an ISA Server 2004 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6 Objective 1.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7 Objective 1.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-15 Assess and Configure the Operating System, Hardware, and Network Services . . 13-21 Objective 1.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22 Objective 1.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-26 Deploy ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30 Objective 1.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-31 Objective 1.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3514Installing and Configuring Client Computers (2.0)14-1Testing Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1 Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 Install Firewall Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 Objective 2.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 Objective 2.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6 Configure Client Computers for ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . 14-8 Objective 2.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9 Objective 2.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-11 Configure a Local Domain Table (LDT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13 Objective 2.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-14 Objective 2.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17 Configure ISA Server 2004 for Automatic Client Configuration by Using Web Proxy Automatic Discovery (WPAD) . . . . . . . . . . . . . . . . . . . . . . . . 14-19 Objective 2.4 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-20 Objective 2.4 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-22 Diagnose and Resolve Client Computer Connectivity Issues . . . . . . . . . . . . . . 14-24 Objective 2.5 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-25 Objective 2.5 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2915Configuring and Managing ISA Server 2004 (3.0)15-1Testing Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2 Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3 Configure the System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5 Objective 3.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-6 Objective 3.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-10 22. xxviTable of ContentsBack Up and Restore ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-14 Objective 3.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-15 Objective 3.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-18 Define Administrative Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-21 Objective 3.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-22 Objective 3.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-26 Configure Firewall Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-29 Objective 3.4 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-30 Objective 3.4 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-33 Configure ISA Server 2004 for Network Load Balancing . . . . . . . . . . . . . . . . . 15-36 Objective 3.5 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-37 Objective 3.5 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-39 Configure ISA Server 2004 to Support a Network Topology . . . . . . . . . . . . . . . 15-41 Objective 3.6 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-42 Objective 3.6 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-4416Configuring Web Caching (4.0)16-1Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1 Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2 Configure Forward Caching and Reverse Caching . . . . . . . . . . . . . . . . . . . . . . . 16-4 Objective 4.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-5 Objective 4.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-7 Optimize Performance on the ISA Server 2004 Cache . . . . . . . . . . . . . . . . . . 16-13 Objective 4.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-14 Objective 4.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-17 Diagnose and Resolve Caching Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-21 Objective 4.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-22 Objective 4.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2417Configuring Firewall Policy (5.0)17-1Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1 Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-3 Plan a Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5 Objective 5.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6 Objective 5.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-10 Create Policy Elements, Access Rules, and Connection Limits . . . . . . . . . . . . 17-13 Objective 5.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-14 Objective 5.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-17 Create Policy Rules for Web Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-19 Objective 5.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-20 23. Table of ContentsxxviiObjective 5.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-25 Create Policy Rules for Mail Server Publishing . . . . . . . . . . . . . . . . . . . . . . . . 17-32 Objective 5.4 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-33 Objective 5.4 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-36 Create Policy Rules for Server Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-38 Objective 5.5 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-39 Objective 5.5 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-4218Configuring and Managing Remote Network Connectivity (6.0)18-1Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1 Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-2 Configure ISA Server 2004 for Site-to-Site VPNs . . . . . . . . . . . . . . . . . . . . . . . 18-4 Objective 6.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-5 Objective 6.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-8 Configure ISA Server 2004 as a Remote-Access VPN Server . . . . . . . . . . . . . 18-12 Objective 6.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-13 Objective 6.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-16 Diagnose and Resolve VPN Connectivity Issues . . . . . . . . . . . . . . . . . . . . . . . 18-20 Objective 6.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-21 Objective 6.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-2719Monitoring and Reporting ISA Server 2004 Activity (7.0)19-1Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1 Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-2 Monitor ISA Server 2004 Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-4 Objective 7.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-5 Objective 7.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-10 Configure and Run Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-15 Objective 7.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-16 Objective 7.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-18 Configure Logging and Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-20 Objective 7.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-21 Objective 7.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-24 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-1 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .I-1 24. xxviiiAcknowledgements Writing a book is always enjoyable because it gives me a chance to learn everything I can about an interesting product and then communicate what I have learned to you, the reader. Writing this book has been particularly enjoyable because everything that happened around the writing part went so smoothly. For that I have to thank the team that worked with me on the book. Special thanks to my daughter, Amanda, who helped out a great deal with the technical writing of this book. And thanks to Gary Dunlop, who wrote most of the review questions and scenarios in the first part of the book. As usual, the team at Microsoft Learning was great. Julie Pickering got me involved in the project and managed the project with her usual sense of humor. Lori Kane and Colin Lyth provided book design and technical guidance. Most of the actual editing for the book was handled by another team headquartered at nSight in Burlington, Mass. Sue McClung, the project manager, kept us all on schedule. The expertise in network security provided by Kurt Dillard, the technical editor, made this a better book. In addition, the editing team included the following: Peter Tietjen, copy editor; Peter Amirault, desktop production specialist; Jan Cocker, Cindy Gierhart, Tempe Goodhue, and Kiren Valjee, proofreaders; and Jack Lewis, indexer. Thanks to all of you. Stan ReimerI would love to thank my wife Oksana and son Rooslan for their love, support, and patience. I would also like to deeply thank the following people at Microsoft Learning and nSight who have been instrumental in bringing about a successful conclusion to the writing process: Julie Pickering, Susan McClung, Stan Reimer, Kurt Dillard, Lori Kane, Randall Galloway, Peter Tietjen, Peter Amirault, Colin Lyth, and Paul Blount. Finally, Id like to thank Mick, Lards, Kasia, Shan, Linton, Corey, Lee, Gillian, Joan, Neil, Elena, Alex, Serge, Chris, Mike, Sergio, Michael, and Aunt Galina for all the ways in which they have made my familys life brighter. Orin Thomas 25. About This Book Welcome to MCSA/MCSE Self-Paced Training Kit (Exam 70-350): Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004. This training kit is designed to provide the knowledge you need to pass the 70-350 certification exam. More importantly, this training kit also provides you with the knowledge and skills required to implement, manage and administer ISA Server 2004 in a real-world environment. This goal is much more important than just passing the exam; after all, passing an exam is of little value if you cannot actually use the knowledge you have gained to implement ISA Server 2004. To help you gain the required knowledge and skill, this book uses conceptual information, hands-on exercises and troubleshooting labs, realworld scenarios based on the authors consulting experiences, and questions designed to reinforce what you have learned. Note For more information about becoming a Microsoft Certified Professional, see the section titled The Microsoft Certified Professional Program later in this introduction.Intended Audience This book was developed for information technology (IT) professionals who plan to take the related Microsoft Certified Professional exam 70-350: Implementing Microsoft Internet Security and Acceleration Server 2004, as well as IT professionals who design, develop, and implement Microsoft ISA Server 2004 for Microsoft Windowsbased environments. NoteExam skills are subject to change without prior notice and at the sole discretion of Microsoft.Prerequisites This training kit requires that students meet the following prerequisites: Candidates for this exam operate in medium-sized to very large networked computing environments that use Microsoft Windows 2000 Server and Microsoft Windows Server 2003 operating systems. Candidates have a basic understanding of Active Directory directory service, DNS, DHCP, WINS, Certificate Services, RADIUS, Routing and Remotexxix 26. xxxAbout This BookAccess Service, FTP, HTTP, HTTPS, TCP/IP, IMAP, POP3, RDP, SMTP, and SSL. They have a minimum of one years experience implementing and administering networks and operating systems in environments that have the following characteristics: Between 50 and 10,000-plus supported usersMultiple physical locationsOutbound access for typical client services and applications, such as Web access, e-mail, Telnet, FTP, VPN, desktop management, Instant Messaging, and access control policiesHosting of network services, such as internal and external Web hosting, messaging, Instant Messaging, RDP, and firewallConnectivity requirements that include connecting individual offices and users at remote locations to the corporate network and connecting networks to the InternetUsing ISA Server firewall or caching services, or both, in a production environmentAbout the CD-ROM For your use, this book includes a Supplemental CD-ROM, which contains a variety of informational aids to complement the book content: The Microsoft Press Readiness Review Suite Powered by MeasureUp. This suite of practice tests and objective reviews contains questions of varying degrees of complexity and offers multiple testing modes. You can assess your understanding of the concepts presented in this book and use the results to develop a learning plan that meets your needs.An electronic version of this book (eBook). For information about using the eBook, see the section entitled The eBook later in this introduction.A second CD-ROM contains a 180-day evaluation edition of ISA Server 2004, Standard Edition. 27. About This BookxxxiFeatures of This Book This book has two parts. Use Part 1 to learn at your own pace and practice what youve learned with practical exercises. Part 2 contains questions and answers you can use to test yourself on what youve learned.Part 1: Learn at Your Own Pace Each chapter identifies the exam objectives that are covered within the chapter, provides an overview of why the topics matter by identifying how the information is applied in the real world, and lists any prerequisites that must be met to complete the lessons presented in the chapter. The chapters are divided into lessons. Lessons contain practices that include one or more hands-on exercises. These exercises give you an opportunity to use the skills being presented or explore the part of the application being described. After the lessons, you are given an opportunity to apply what youve learned in a case scenario exercise. In this exercise, you work through a multi-step solution for a realistic case scenario. In many chapters, you are also given an opportunity to work through a troubleshooting lab that explores difficulties you might encounter when applying what youve learned on the job. Each chapter ends with a short summary of key concepts and a short section listing key topics and terms you need to know before taking the exam. This section summarizes the key topics youve learned, with a focus on demonstrating that knowledge on the exam.Real World Helpful Information You will find sidebars like this one that contain related information you might find helpful. Real World sidebars contain specific information gained through the experience of IT professionals just like you.Part 2: Prepare for the Exam Part 2 helps to familiarize you with the types of questions you will encounter on the MCP exam. By reviewing the objectives and sample questions, you can focus on the specific skills you need to improve before taking the exam. See AlsoFor a complete list of MCP exams, go to http://www.microsoft.com/learning/ mcp/mcp/requirements.asp. 28. xxxiiAbout This BookPart 2 is organized by the exams objectives. Each chapter covers one of the primary groups of objectives, referred to as Objective Domains. Each chapter lists the tested skills you need to master to answer the exam questions, and it includes a list of further readings to help you improve your ability to perform the tasks or skills specified by the objectives. Within each Objective Domain, you will find the related objectives that are covered on the exam. Each objective provides you with several practice exam questions. The answers are accompanied by explanations of each correct and incorrect answer. NoteThese questions are also available on the companion CD as a practice test.Informational Notes Several types of reader aids appear throughout the training kit. Tip contains methods of performing a task more quickly or in a not-so-obvious way.Important contains information that is essential to completing a task.Note contains supplemental information.Caution contains valuable information about possible loss of data; be sure to read this information carefully.Warning contains critical information about possible physical injury; be sure to read this information carefully.See Also contains references to other sources of information.Planning contains hints and useful information that should help you to plan the implementation.On the CD points you to supplementary information or files you need that are on the companion CD.Security Alert highlights information you need to know to maximize security in your work environment.Exam Tip flags information you should know before taking the certification exam.Off the Record contains practical advice about the real-world implications of information presented in the lesson. 29. About This BookxxxiiiNotational Conventions The following conventions are used throughout this book: Characters or commands that you type appear in bold type.Italic in syntax statements indicates placeholders for variable information. Italic is also used for book titles.Names of files and folders appear in Title Caps, except when you are to type them directly. Unless otherwise indicated, you can use all lowercase letters when you type a file name in a dialog box or at a command prompt.File name extensions appear in all uppercase.Acronyms appear in all uppercase.Monospace type represents code samples, examples of screen text, or entries that you might type at a command prompt or in initialization files.Square brackets [ ] are used in syntax statements to enclose optional items. For example, [filename] in command syntax indicates that you can choose to type a file name with the command. Type only the information within the brackets, not the brackets themselves.Braces { } are used in syntax statements to enclose required items. Type only the information within the braces, not the braces themselves.Keyboard Conventions A plus sign (+) between two key names means that you must press those keys at the same time. For example, Press ALT+TAB means that you hold down ALT while you press TAB.A comma ( , ) between two or more key names means that you must press each of the keys consecutively, not together. For example, Press ALT, F, X means that you press and release each key in sequence. Press ALT+W, L means that you first press ALT and w at the same time, and then release them and press L.Getting Started This training kit contains hands-on exercises to help you learn about ISA Server 2004 by performing the actual steps required to implement, configure, and troubleshoot ISA Server 2004. These exercises provide hands-on skills training that you will need to pass the exam, and to deploy ISA Server successfully in your network environment. Use this section to prepare your self-paced training environment. 30. xxxivAbout This BookTo complete some of these procedures, you must have up to four networked computers or be connected to a larger network. All computers must be capable of running Microsoft Windows Server 2003 or Microsoft Windows XP. One of the computers must also be capable of running Microsoft Exchange Server 2003. CautionSeveral exercises might require you to make changes to your servers. This might have undesirable results if you are connected to a larger network. Check with your Network Administrator before attempting these exercises.Hardware Requirements Each computer must have the following minimum configuration. All hardware should be on the Windows Server 2003 or Windows XP Hardware Compatibility List. A personal computer with a 550 megahertz (MHz) or higher Pentium IIIcompatible CPU.256 megabytes (MB) of memory.For the computers that will be configured as ISA Server computers, you need one network adapter for communication with the internal network and an additional network adapter for each network directly connected to the ISA Server 2004 computer. You need two network adapters for most exercises, with a third network adapter required for one exercise.One local hard disk partition that is formatted with the NTFS file system and that has at least 150 megabytes (MB) of available hard-disk space. If you enable caching and logging, you will need additional hard-disk space.CD-ROM drive.Microsoft Mouse or compatible pointing device.Software Requirements The following software is required to complete the procedures in this training kit. (A 180-day evaluation edition of ISA Server 2003, Enterprise Edition, is included on the CD-ROM.) Microsoft Windows Server 2003, Enterprise EditionMicrosoft Internet Security and Acceleration Server 2004, Standard EditionMicrosoft Internet Security and Acceleration Server 2004, Enterprise Edition (required only for Chapter 12, Implementing ISA Server, Enterprise Edition) 31. About This BookxxxvMicrosoft Exchange Server 2003, either Standard or Enterprise Edition (required only for Chapter 9, Integrating ISA Server 2004 and Exchange Server, and Chapter 11, Implementing Monitoring and Reporting)Microsoft Windows XP, Professional EditionMicrosoft Outlook 2003CautionThe 180-day Evaluation Edition that is provided with this training kit is not the full retail product and is provided only for the purposes of training and evaluation. Microsoft Technical Support does not support these evaluation editions. For additional support information regarding this book and the CD-ROMs (including answers to commonly asked questions about installation and use), visit the Microsoft Press Technical Support Web site at http://www.microsoft.com/learning/support/default.asp. You can also e-mail [email protected] or send a letter to Microsoft Press, Attn: Microsoft Press Technical Support, One Microsoft Way, Redmond, WA 98502-6399.Setup Instructions Set up your computer according to the manufacturers instructions. For the exercises that require networked computers, you need to make sure the computers can communicate with each other. The first computer will be configured as a domain controller in the cohovineyard.com domain and installed as DC1. This computer should have an IP address of 10.10.0.10. If you use a different IP address, you will need to modify the practices and labs that use this IP address. A second computer will act as an ISA Server 2004 computer for most of the procedures in this course. This computer will have Windows Server 2003 installed, use a computer name of ISA1, and will be configured as a domain member in the cohovineyard.com domain. This server should have two network interfaces installed. The network interface assigned to the internal network should have an IP address of 10.10.0.1. The network interface assigned to the external net

Technology

70 350 implementing microsoft internet security and accelera