北京- 微软课堂-ISA Server2000的特性与安装部署邀请函

Download Report

Transcript 北京- 微软课堂-ISA Server2000的特性与安装部署邀请函

MICROSOFT
企业级服务器--- ISA Server
安全与速度的完美结合
北京维诺尔计算机网络技
术有限公司
袁子能
ISA SERVER 技术支
Tel:88472430
13011035647
E-mail:[email protected]
安全问题日益增加
恶意行为的增长
35000
30000
25000
20000
15000
10000
5000
0
1995
1996
1997
1998
Vulnerabilities
所有数据来自 http://www.cert.org/stats
1999
2000
2001*
Incidents
* 2001 Q1-Q3
ISA SERVER
ISA Server Editions
• ISA Server Standard Edition
• ISA Server Enterprise Edition
Microsoft® ISA Server 2000标准版与企业版功能比较表
功能
标准版
企业版
单机运作
多机的集中管理
服务器本机
服务器阵列
4颗CPU
无限制
适合小型企
业
适合中大型企业
仅阶层式
皆有
有限
完全
▲多层次原则
无
有
▲多服务器管理
无
有
▲服务器的建置
▲原则的设定(policy support)
▲硬件支持
Web缓存
▲扩展性
▲分散式与阶层式缓存
统一的管理
▲Windows® 2000 Active
Directory整合
安装 ISA Server
•
•
•
•
•
硬件和软件的要求
选择安装模式
指定缓存尺寸
配置 LAT表
Upgrading from Microsoft Proxy Server
2.0
Identifying Hardware and Software
Requirements
CPU
RAM
Windows 2000 Server,
Windows 2000 Advanced
Server, or
Windows Datacenter
256 MB
300 MHz
or higher
Hard Disk Space
Internal Adapter
20 MB
External Adapter
Active Directory
Hard Disk Format
NTFS
Arrays
Installation Modes
• Cache Mode
• Firewall Mode
• Integrated Mode
Microsoft ISA Server Status
Select the mode for this server:
Firewall mode
Select this option to install enterprise firewall
functionality.
Cache mode
Selecting
an Installation Mode
Select this option to install cache and Web hosting
functionality.
Cache mode installation is recommended only for computers
that are not directly connected to the Internet. If this
computer is directly connected to the Internet, install ISA
Server in integrated mode.
Integrated mode
Select this option to install integrated enterprise
firewall, cache, and Web hosting functionality.
Continue
Exit Setup
Help
Microsoft Internet Security and Acceleration Server Setup
Setup has stopped your IIS publishing service (W3SVC). After Setup is
complete, uninstall IIS or reconfigure all IIS sites not to use ports 80 and
8080.
OK
Help
Specifying the Initial Cache Size
Microsoft Internet Security and Acceleration Server Setup
Specify the NTFS drives on which caches should be located
and the maximum size of each cache.
OK
Cancel
Initial cache size is
100 MB. Add 0.5 MB
for each Web Proxy
client.
Drive
[File System]
C:
[NTFS]
Maximum Size (MB)
100
Drive:
C: [NTFS]
Available space (MB)
28722
Cache size (MB):
Total cache size (MB):
100
100MB
Set
Help
1 Click
Configuring the
LAT
Construct Table to
Microsoft Internet Security and Acceleration Server Setup
Enter the IP address ranges that span the internal network address space.
Internal IP ranges:
Edit
From
From
To
2 Select options to add
Add->
To
private IP address ranges
or routing table entries.
Remove->
To construct a local address table, click Construct
Table.
OK
Cancel
Construct Table…
Enter the IP address ranges that span the internal network address space.
Internal IP ranges:
Edit
From
From
1
200
168
255 255
To
192
To
192.168.1.200
168
Local Address Table
Select the address ranges (based on the Windows 2000 routing table) for inclusion in
the local address table (LAT). The LAT should include all the addresses in you
internal network.
Help
Microsoft Internet Security and Acceleration Server Setup
192
construct a local address
table.
192.168.255
Add the following private ranges: 10.xxx, 192.168.xx and 172.16.xx173.31.xx and 169.254.xx..
Add address ranges based on the Windows 2000 Routing Table
Select the address ranges that are associated with the following
internal network adapters:
Card
MS LoopBack Driver
3Com EtherLink PCI (Micros…
IP Addresses
169.254.25.129
192.168.1.200
Add->
Remove->
To construct a local address table, click Construct
Table.
OK
Cancel
Help
OK
Cancel
3 Verify the IP addresses
Construct Table…
that display in the local
address table.
Help
Maintaining the LAT and LDT
192.168.100.200
192.168.100.300
Msplat.txt
Internet
192.168.100.225
ISA Server
192.168.100.200
192.168.100.300
Clients
Msplat.txt
Upgrading from Microsoft Proxy Server2.0
Upgrading from
Microsoft
Windows NT
Proxy Server 2.0
Upgrade to Windows 2000
ISA Server 2000
Client
Requests
Port 80
Upgrading Client
Computers
Proxy Server 2.0
ISA Server
Winsock Proxy Clients
and Firewall Clients
Port
8080
ISA Server 接入形式
• Bastion Host (堡垒型)
• Perimeter Network with Three-Homed
Firewall (三宿主)
• Perimeter Network with Back-to-Back
Firewalls (背靠背)
Bastion Host
Internet
Firewall
Internal Network
Perimeter Network with
Three-Homed Firewall
Perimeter Network
Internet
Firewall
Internal Network
Perimeter Network with
Back-to-Back Firewalls
Perimeter Network
Internet
ISA SRV
ISA SRV
Branch Office/Small Business
Firewall
Internet
Branch Office or
Small Business
ISA Server
实际连接
Perceived Connection
ISA 的设计目标
Secure, fast Internet connectivity
Security
Secure Internet Connectivity Through a
Multilayered Firewall
Acceleration
Fast Web Access with a High-Performance
Cache
Management
Unified Management with Integrated
Administration
Extensibility
Extensible and Open Platform
需求1: 安全的Internet访问
•
•
•
•
•
•
•
•
•
多层次控制方式的防火墙 (Multilayer)
入侵检测功能 (Intrusion Detection)
支持DMZ区 (DMZ Zone)
服务器发布功能 (Server Publishing)
集成的VPN功能 (Integration VPN)
支持动态包过滤 (Dynamic Filter)
支持NAT
“安全锁紧”功能 (System Harden)
支持负载均衡
多层次过滤的防火墙
• 由下至上 – 保护每个层次
– IP层(封包过滤)
• 静态过滤
• 动态端口过滤
– 协议层
• 基于会话的过滤
• 基于连接的控制
– 应用层
• 智能的内容探测
应用层
Application
level
协议层
Circuit
level
IP层
Packet
level
IP Header
Src
源地址?
目标地址?
•
•
IP包过滤
UDP/TCP HDR
Dst
port
请求的端口号
需要什么服务)?
利用IP包头信息
分析IP包内容
Payload
payload
内容是什么?
协议级的安全控制
主连接
第二连接
服务器
•
•
会话与连接之间的关系
智能的监测和控制主连接
客户端
应用层的安全控制
HTTP:
Forbidden site
HTTP:
Virus!
Client
Internet
DNS:
SMTP:
Zone attack
VRFY *
Company server
•
•
•
智能检查
支持内容的过滤和锁定
防范已知的安全漏洞
Filters and Network Access
Access Policy

HTTP 
All Destinations
Allow
Streaming
Media
Streaming
Media
SMTP
DNS Intrusion
External Network
SMTP

Firewall
Internal Network
处理外出客户端请求
Request from
internal client
Is there a
site and content
rule that allows the
request?
Is there a
protocol rule that allows
the request?
No
No
No
No
No
Is there a
protocol rule that denies
the request?
Does a routing
rule specify routing to an
upstream server?
Yes
Yes
No
Is there a
site and content
rule that denies the
request?
Yes
Deny request
Yes
Yes
Does an IP packet filter
block the request?
Yes
Retrieve object
Route to
upstream server
入侵检测功能
Intrusion Detection
• IP Packet–Level Attacks 检测和预警
– All types of Port Scan
– IP Half Scan Attack
– Ping of death
– UDP bomb attack
– WinNuke
– Land attacks
应用层攻击
• DNS Hostname Overflow
• DNS Length Overflow
• DNS Zone Transfer from Privileged Ports
(1–1024)
• DNS Zone Transfer from High Ports
(Above 1024)
• POP Buffer Overflow
Configuring Intrusion Detection
IP Packet Filters Properties
General Packet Filters Intrusion Detection
PPTP
DNS intrusion detection filter Properties
General Attacks
Select Attacks
Filter incoming traffic for the following:
Enable detection of the selected attacks:
Windows out-of-band (WinNuke)
DNS host name overflow
Land
Ping of death
IP half scan
UDP bomb
DNS length overflow
Select the options that are
required to implement your
monitoring strategy.
DNS zone transfer from privileged ports (1-1024)
DNS zone transfer from high ports (above 1024)
Port scan
Detect after attacks on
10
well-known ports
Detect after attacks on
20
ports
To receive alerts about intrusion attacks, see the properties for
specific alerts in the Alerts folder.
Intrusion detection functionality based on technology from Internet
Security Systems, Inc., Atlanta, GA, USA, www.iss.net
OK
Cancel
Apply
OK
Cancel
Apply
检测到入侵后可以采取的行动
1.
2.
3.
4.
5.
记入系统日志
发送邮件
执行特定的应用程序
终止特定的服务
启动特定的服务
ISA 和Proxy2.0不同的发布机制
• Proxy2.0
• ISA
* 完全独立运行的服务, 可
* 依赖IIS 服务
以完全把IIS卸载。
* 被发布的服务器需要
* 被发布的服务器无需安装
安装Proxy Client.
* 不支持SSL桥接技术
任何软件。(设置为Secure
NET 客户端)
*支持端口的重定向 (Port
Mapping)
*支持SSL桥接技术 (SSL
Bridging)
Publishing
Internal Network
External Adapter
Internet
131.107.3.1
Internal Adapter
192.168.9.1
Web Server
www.bjwne.com
Publishing Servers on a Back-to-Back
Perimeter Network
LAT
Perimeter
Network
Web Server
Internet
ISA Server
ISA Server
Perimeter Network
SQL Server
LAT
Internal
Network
Internal Network
Publishing a Server
Start
Name the Rule
Specify Address Mapping
Select a Protocol Setting
Select a Client Type
Finish
Publishing a Mail Server
Mail Server Security Wizard
Mail Services Selection
Select the mail services that you would like to publish to your external users
Publish these mail services:
Select to apply
content filtering to
incoming SMTP traffic.
Default
Authentication
SSL
Authentication
Incoming SMTP
Apply content filtering
Outgoing SMTP
Incoming Microsoft Exchange/Outlook
Incoming POP3
Incoming IMAP4
Incoming NNTP
< Back
Next >
Cancel
Guidelines for Using Publishing
If your network
Then use
Does not have a perimeter
network
Server publishing
Has a back-to-back perimeter
network configuration
Server publishing on both ISA Server computers
Has a three-homed perimeter
network configuration
Routing and packet filtering between the Internet
and perimeter network; server publishing
between the internal and perimeter networks
Network Load Balancing
ISA Server Array
Internet
Cache
Cache
Cache
Published Server
VPN
• Understanding VPNs
• Connecting Remote Users to a Corporate
Network
• Connecting Remote Networks to a Local
Network
Connecting Remote Users
to a Corporate Network
Corporate Network
ISA Server
Computer
Internet
VPN Tunnel
Remote User
Connecting Remote Networks
to a Local Network
Local Network
ISA Server
Computer
Internet
VPN Tunnel
ISA Server
Computer
Remote Network
Configuring a VPN to Accept Client
Connections
ISA VPN Server Wizard
ISA Virtual Private Network (VPN) Server Summary
ISA Virtual Private Network (VPN) Server can accept VPN connections from
remote clients over the Internet.
The Server will be configured with the properties listed below:
Lists the
configuration
properties set by
the wizard.
Configure Routing and Remote Access Server as Virtual Private Network (VPN)
Enforce secured authentication and encryption methods.
Open static packet filters for allowing PPTP and L2TP over IPSEC protocols.
The number of ports available for clients to connect is 128, but this number can be
< Back
Next >
Configuring a Local VPN
Start
Identify the Connections
Select the Protocol(s)
Specify Communication
Specify Remote Addresses
Specify Local Addresses
Save Configuration File
Finish
Configuring a Remote VPN
Remote ISA VPN Wizard
ISA VPN Computer Configuration File
Specify the .vpc file to use when setting up and configuring the ISA Virtual Private
Network (VPN) computer. The .vpc file includes information about the remote ISA
VPN computer.
Specify the path and
file name for the .vpc
file.
Type the password
for the file.
Specify the .vpc file to use for setting up and configuring the ISA VPN computer. The
.vpc file includes information about the remote ISA VPN computer.
Browse…
File name
Type the password to decrypt the configuration file.
Password
< Back
Next >
Cancel
需求2: 快速的Web访问
•
•
•
•
•
改进的存储和检索机制
内存缓存 (RAM caching)
主动的和定时的内容下载
支持阵列 (Array & CARP)
层次化的缓存系统
缓存的类型
Internal Network
正向缓存
Cache
Internet
Cache
Internet
反向缓存
Web Server
Internal Network
分布式缓存
Cache
Internet
Cache
Cache
The Forward Caching Process
2
GET www.bjwne.com
Internet
3 Object is sent from Internet
5 Object is sent from cache
ISA Server
Cache
1
GET www.bjwne. com
4
Client 1
GET www.bjwne. com
Client 2
Reverse Caching (互联网
企业)
Web 伺服器
吸收
Web负载的冲击
ISA 扮演 Web
代理服务器
ISA 服务器
Cache
http://www.bjwne.com
Internet
Processing Requests for Cached Objects
1
Request http://URL A
RAM
Cache
Directory
2
Cache
Entry 1
Disk
3
Objects
Objects
http://URL A
http://URL A
Cache Directory
Backup
Cache
Entry 1
主动的和定时的内容下载
•
•
•
•
以目标生存时间为基础
ISA自动分析缓存内容的寿命
ISA自动下载并更新缓存内容
使用拨号访问Internet的用户应考虑使用定时
下载内容的方式
Branch Office/SmallBusiness
Office Cache Server
ISA Server
Cache
Branch Office
Main Office
Internet
Cache
ISA Server
Small Business
企业缓存服务
ISA Server Array
Cache
Internet
Cache
Cache
Corporate Network
Configuring HTTP Caching
Cache Configuration Properties
Select to enable
HTTP caching.
General HTTP
FTP
Active Caching Advanced
Enable HTTP Caching
Unless source specifies expiration, update source:
Frequently (Expire immediately)
Normally
Less frequently (Reduced network traffic is important)
Set Time To Live (TTL) of object in cache to:
This percentage of content age
(Time since creation of modification):
20
No less than:
15
Minutes
No more than:
1
Days
Restore Defaults
OK
Cancel
Apply
Configuring FTP Caching
Cache Configuration Properties
General HTTP
FTP
Active Caching Advanced
Enable FTP caching
Specify a time for FTP
objects to remain in the
cache.
Time to Live for all objects:
1440
Minutes
Restore Defaults
OK
Cancel
Apply
Cache Configuration Properties
General HTTP
Configuring
Active Caching
FTP
Active Caching Advanced
Active caching automatically retrieves frequently accessed files.
Enable active Caching
Retrieve files:
Select to create
an active
caching policy.
Frequently
(Client performance is more important)
Normally
(Client performance and reduced network traffic are equally
important)
Less frequently
(Reduced network traffic is more important)
Restore Defaults
OK
Cancel
Apply
Configuring Advanced Cache Settings
Cache Configuration Properties
General HTTP
Select to configure
cache settings for
specific objects.
FTP
Active Caching Advanced
Do not cache objects larger than:
1
KB
Cache objects that have an unspecified last modification time
Cache objects even if they do not have an HTTP status code of 200
Cache dynamic content (objects with question marks in the URL)
Maximum size of URL cached in memory (bytes):
12800
If Web site of expired object cannot be reached:
Do not return the expired object (return an error page)
Return the expired object only if expiration was:
At less that this percentage of original Time
to Live:
But no more than (minutes):
50
Percentage of available memory to use for caching:
50
60
Restore Defaults
OK
Cancel
Apply
需求3:统一和灵活的管理
•
•
•
•
•
•
•
•
•
基于规则的管理方式
灵活和方便的客户端部署
账号可以和Win2000活动目录集成
基于MMC的管理界面
完善的日志, 报表功能
可订制的报警功能
带宽控制机制(QoS)
多种帮助向导
方便的安装过程
创建策略元素
•
•
•
•
•
•
•
Policy Element Overview
Creating Schedules
Creating Bandwidth Priorities
Creating Destination Sets
Creating Client Address Sets
Creating Protocol Definitions
Creating Content Groups
Creating Schedules
New schedule
Name:
Lunch Hours and Weekends
Description:
Use this schedule to permit access to sites
lunch hours and weekends.
Set the activation times for rules that are based on this schedule.
12 · 2 · 4 · 6 · 8 · 10 · 12 · 2 · 4 · 6 · 8 · 10 · 12
Al
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Click Active to add
portions of the week, or
click Inactive to remove
portions of the week.
Sunday from 12 AM to 12 AM
Active
Inactive
OK
Cancel
Creating Bandwidth Rules
Start
Name the Rule
Select the Protocol(s)
Select a Schedule
Select a Client Type
Select a Destination Type
Select a Content Group
Select Bandwidth Priority
Finish
Creating Bandwidth Priorities
New Bandwidth Priority
Name:
High Priority
Description
(optional):
Assigns high priority to incoming traffic.
Outbound bandwidth (1-2000):
Inbound bandwidth (1-200):
New Bandwidth Priority
Name:
Basic Priority
Description
(optional):
Assigns high priority to incoming traffic.
30
OK
Cancel
Outbound bandwidth (1-2000):
Inbound bandwidth (1-200):
20
OK
Cancel
Creating Site and Content Rules
Start
Name the Rule
Specify the Rule Action
Select a Destination Set
Select a Schedule
Select a Client Type
Finish
Creating Destination Sets
New Destination Set
Name:
Partner Web
Description
(optional):
Include these computers:
Name/IP Range
Add/Edit Destination
Path
Computer name:
nwtraders.msft
Browse…
IP addresses:
From:
To (optional):
Add…
Edit…
Remove
OK
Cancel
To include a specific directory in the destination set, type the path
below.
To include all the files, use this format: /dir/*.
To select a specific file, use this format: /dir/filename.
Path:
/sales/accounts.xls
OK
Cancel
Creating Client Address Sets
Client Set
Name:
Support Staff
Description
(optional):
Select the addresses of computers that belong to this client
address set.
Add/Edit IP Addresses
Client set IP addresses:
Members:
From
To
Edit
Add…
OK
Remove
Cancel
From:
192 . 168 . 101 . 0
To:
192 . 168 . 101 . 255
OK
Cancel
Creating Protocol Rules
Start
Name the Rule
Specify the Rule Action
Select the Protocol(s)
Select a Schedule
Select a Client Type
Finish
Creating Protocol Definitions
Type a number
between between 1
and 65535 to
specify the port
number.
Creating Content Groups
ISA Management
Action View
Name
Tree
Internet Security and Acceleration Server
Servers and Arrays
LONDON
Monitoring
Computer
Access Policy
Publishing
Bandwidth Rules
Policy Elements
Schedules
Bandwidth Priorities
Destination Sets
Client Address Sets
Protocol Definitions
Application
Application Data Files
Audio
Compressed Files
Documents
HTML Documents
Images
Macro Documents
Text
Video
VRML
Description
Content Types
Applications
application/hta.application/x-internet-signup.application/x-pkcs7-certific
Files containing data for applications application/x-mscardfile.application/x-perform.application/x-msclip.appl
Audio files
audio.*,.ra,.ram,.rmi,.au,.snd,.aif,.aifc,.wav,.m3u,.mid,.mp3
Compressed Files
application/x-gzip,application/x-tar,application/x-gtar,application/x-com
Documents
text/tab-separated-values,text/xml,text/h323,application/postscript,appl
HTML Documents
text/webviewhtml,text/html,.htm,.html,.htt,.stm,.xsl
All known types of images
.cod,.cmx,.ief,.pbm,.pnm,.ppm,.gif,.bmp,.jfif,.jpe,.jpg,.jpeg,.ico,.pgm,.ras
Documents that may contain macr… application/msword,application/vnd.ms-excel,application/x-msaccess,a
Text content
.txt,.h,.c,.htc,.vcf,.etx,.uls,.css,.bas,.rtx,text/plain,text/x-component,text/
Video files
video/*,.asf,.asr,.asx,.avi,.ivf,.lsf,.lsx,.mov,.movie,.mlv,.mp2,.mpa,.mpe,.
VRML
x-world/x-vrml,.flr,.wrl,.wrz,.xaf,.xof
ISA Server includes several
preconfigured content groups.
认证模式
•
•
•
•
Basic Authentication
Digest Authentication
Integrated Windows Authentication
Client Certificate Authentication
Authentication Overview
Internet
SecureNAT Client
No user-based authentication.
ISA Server
Web Proxy Client
Authentication is dependent on
browser and operating environment.
Firewall Client
Authentication is based on client credentials.
Configuring Authentication for Outgoing Web
Requests
LONDON Array Properties
Incoming Web Requests
General
Auto Discovery Performance
Security
Outgoing Web Requests
Identification
Use the same listener configuration for all internal IP addresses.
Configure listeners individually per IP address
Server
IP Address Display N… Authentic…
LONDON <All internal
Integrated
Add…
TCP port:
8080
SSL port:
8443
Remove
Server C…
Edit…
Enable SSL listeners
Connections
Connection settings:
Ask unauthenticated users for identification
OK
Cancel
Configure…
Apply
Configuring Authentication Methods
LONDON Array Properties
Incoming Web Requests
General
Auto Discovery Performance
Security
Outgoing Web Requests
Identification
Use the same listener configuration for all internal IP addresses.
Configure listeners individually per IP address
Server
IP Address Display N… Authentic…
LONDON <All internal
Integrated
Server C…
Add/Edit Listeners
Server:
LONDON
IP Address:
<All internal IP addresses>
Display Name:
Add…
TCP port:
8080
SSL port:
8443
Remove
Edit…
Select…
Authentication
Basic with this domain:
Enable SSL listeners
Connections
Connection settings:
Ask unauthenticated users for identification
Use a server certificate to authenticate to web clients
Select domain…
Digest with this domain:
Configure…
Select domain…
Integrated
Client certificate (secure channel only)
OK
OK
Cancel
Apply
Cancel
Adjusting Cache Size
LONDON Properties
Cache Drives
LONDON
Drive
Type
Disk space…
Maximum cache size (MB):
Free space… Cache Size…
Total disk space (MB):
Specify the size
of the cache.
Set
100
39064
urlcache
Total maximum cache size (MB):
100 View Favorites Tools Help
File Edit
Back
Search Folders
Address
History
Go
urlcache
OK
Cancel
urlcache
Name
Apply
dir1
dir1
Size Type
Modified
File Folder
9/6/2000 9:43 PM
100,800 KB Microsoft ISA Server Cache File 9/18/2000 9:28 PM
Select an item to view its
description
See also:
My Documents
My Network Places
2 object(s)
The .cdat file on the drive will
be the same size as the cache.
98.4 MB
My Computer
Adjusting Memory Allocation
Cache Configuration Properties
General HTTP
FTP
Active Caching Advanced
Do not cache objects larger than:
1
KB
Cache objects that have an unspecified last modification time
Cache objects even if they do not have an HTTP status code of 200
Cache dynamic content (objects with question marks in the URL)
Maximum size of URL cached in memory (bytes):
12800
If Web site of expired object cannot be reached:
Do not return the expired object (return an error page)
Return the expired object only if expiration was:
At less that this percentage of original Time
to Live:
But no more than (minutes):
50
Percentage of available memory to use for caching:
50
Type a number
between 1 and 100 to
specify the maximum
percentage of
memory.
60
Restore Defaults
OK
Cancel
Apply
由上至下的规则实施结构
Active Directory
• 策略的级别
– Enterprise
– Array
– Stand-alone
• 策略可以
– 强制
– 组合
– 提升
Enterprise
Array
Promote
Array
Array
Array
Promote
Stand-alone
企业级阵列级在规则实施上的关系
Enterprise
Policy
Array
Policy 1
ISA
Server 1
ISA
Server 2
Array
Policy 2
ISA
Server 3
ISA
Server 4
Array
Policy 3
ISA
Server 5
ISA
Server 6
Standalo
Configuration
ISA
Server 7
Combining Enterprise Policies and Array
Policies
Properties
General
Policies
Outgoing Web Requests
Incoming Web Requests
Auto Discovery
Performance
Security
Specify whether enterprise policies should be enabled for this array. Then,
select the enterprise policy you want to apply.
Use default enterprise policy settings
Use custom enterprise policy settings
Use array policy only
Use this enterprise policy:
Select this option to allow
array-level settings.
Enterprise Policy 1
Allow array-level access rules that restrict enterprise policy
Allow publishing rules
Force packet filtering on the array
OK
Cancel
Apply
Cach Array Routing Protocol
Array Membership List
Server 1
Server 2
Server 3
Server 4
Server 5
Server 1
Internet
Server 2
Server 3
Server 4
array.dll?Get.Info.v1
Server 5
Web Proxy Client
Configuring CARP(Cache Array Routing Protocol )
LONDON Properties
Policies
General
LONDON
Auto Discovery
Performance
Security Properties
Outgoing Web Requests
Incoming Web Requests
General Array Memberships
Identification
Use the same listener configuration for all internal IP addresses.
Intra-array communication
Use this IP address for intra-array communication:
Configure listeners individually per IP address
Server
LONDON
IP Address Display N… Authentic… Server C…
<All inter…
Integrated
131 . 107 . 3 . 1
Add…
TCP port:
8080
SSL port:
8443
Remove
Edit…
Enable SSL listeners
Connections
Connection settings
Find…
Load Factor
Specify the load factor for this server. This number indicates the
relative cache availability of this server compared to the rest of the array
members:
100
Configure…
Ask unauthenticated users for identification
Resolve requests within array before routing
Select to
enable CARP.
OK
Cancel
Apply
OK
Cancel
Apply
ISA 的客户端管理
•
3种客户端类型
– Web Proxy Client
– Secure NAT Client
– Firewall Client
Internet
SecureNAT Client
ISA Server
Web Proxy Client
Improve the performance of Web requests for
internal clients.
Do not require you to deploy client
software or configure client computers.
Firewall Client
Allow Internet access only for
authenticated users.
配置 Web Proxy 客户端
Local Area Network (LAN) Settings
Automatic configuration
Automatic configuration may override manual settings. To ensure
the use of manual settings, disable automatic configuration.
Automatically detect settings
2
Use automatic
configuration
script
Type
the IP address
or
1
Select the Use a
proxy server
check box.
name
of the ISA Server computer in
the Address box.
Proxy Server
3
Use a proxy server
Address:
192.168.1.200
Port: 8080
Bypass proxy server for local addresses
OK
Type the port
number in the Port
box, and then click
OK.
Cancel
ISA Server – Microsoft’s Firewall
ISA Server 结构
Web Proxy
Service
Web Proxy
Client
Internet
Web Filter
Cache
HTTP
Redirector
Secure NAT
Client
NAT
Driver
z
Firewall
Service
Third Party Filter
Streaming Filter
SMTP Filter
H.323 Filter
Firewall
Client
FTP Filter
Packet Filtering
Local
Area
Network
•
•
带宽控制机制
用来控制网络的使用情况
通过如下方式控制
– 带宽使用分级
– 带宽控制规则
•
带宽控制机制能做什么
– 限制多媒体信息在整个带宽中的百分比
– 授予指定的用户更高的优先级
ISA Management
ISA Server Alert Events
Intrusion detected Properties
Action View
Tree
Internet Security and Acceleration Server
Servers and Arrays
LONDON
Monitoring
Computer
Access Policy
Site and Content Rules
Protocol Rules
IP Packet Filters
Publishing
Bandwidth Rules
Policy Elements
Cache Configuration
Monitoring Configuration
Alerts
Logs
Report Jobs
Extensions
Application Filters
Web Filters
Network Configuration
Client Configuration
H.323 Gatekeepers
Name
Alert action failure
Cache container initialization error
Cache container recovery complete
Cache file resize failure
Cache initialization failure
Cache restoration completed
Cache write error
Cached object discarded
Component load failure
Configuration error
Dial-on-demand failure
DNS intrusion
Event log failure
Firewall communication failure
Intrusion detected
Invalid dial-on-demand credentials
Invalid ODBC log credentials
IP packet dropped
IP Protocol violation
IP spooling
Log failure
Missing installation component
Network configuration changed
No available ports
OS component conflict
Oversized UDP packet
POP intrusion
Report Summary Generation Failure
Description
General
Server
Events Actions
PHOENIX
The action associated with this alert fa…
The cache container initialization faile…
Recovery of a single cache container…
The operation to reduceName:
the size of the…
The Web cache proxy was disabled to…
The cache content restoration was co…
There was a failure in writing content…
During cache recovery, an object with…
Failed to loadDescription
an extension component…
An error occurred
while reading config…
(optional):
Failed to create a dial-on-demand con…
A host name overflow, length overflow…
An attempt to logEnable
the event informaito…
There is a failure in communication bet…
An intrusion was attempted by an exte…
Dial-on-demand credentials are invalid
The specified user name or password…
IP packet was dropped according to s…
A packet with invalid IP options was d…
The IP packet source address is not v…
One of the service logs failed
A component that was configured for t…
A network configuration change that a…
Failed to create a network socket bec…
There is a conflict with one of the oper…
ISA Server dropped a UDP packet be…
POP buffer overflow detected
An error occurred while generating a r…
Event
Alert action failure
PHOENIX
Cache container initialization
PHOENIX
Cache container recovery…
PHOENIX
Intrusion detectedCache file resize failure
PHOENIX
Cache initialization failure
PHOENIX
Cache restoration completed
PHOENIX
Cache write error
PHOENIX
Cache object discarded
An external user
attempted
an intrusion
PHOENIX
Component
load failure
PHOENIX
Configuration error
PHOENIX
Dial-on-demand failure
PHOENIX
DNS intrusion
PHOENIX
Event log failure
PHOENIX
Client/server communica..
PHOENIX
Intrusion detected
PHOENIX
Invalid dial-on-demand cr..
PHOENIX
Invalid ODBC log credent…
PHOENIX
IP packet dropped
PHOENIX
IP Protocol violation
PHOENIX
IP spooling
PHOENIX
Log failure
PHOENIX
Missing installation comp…
PHOENIX
Network configuration ch…
PHOENIX
No available ports
PHOENIX
Operating system comp…
PHOENIX
Oversize UDP packet
PHOENIX
POP intrusion
PHOENIX
Report Summary Ganer…
OK
Cancel
atta
Apply
Configuring Alerts
Intrusion detected Properties
Intrusion detected Properties
General Events Actions
General Events Actions
Event:
Intrusion detected
Description
An intrusion was attempted by an external
Additional condition:
Any intrusion
Send e-mail
Browse…
SMTP server:
europe.london.msft
To:
[email protected]
Cc:
From:
[email protected]
Actions will be executed when the selected conditions occur:
Test
Number of occurrences before the alert is issued:
1
Number of events per second before the alert is issued:
0
Program
Run this program:
Recurring actions are performed:
Immediately
Browse…
Set Account…
Use this account:
After manual reset of alert
If time since last execution is more than
OK
minutes
Cancel
Report to Windows 2000 event log
Stop selected services
Start selected services
Apply
OK
ISA Administrator
Select…
Select…
Cancel
Apply
高级报警属性
Intrusion detected Properties
General Events Actions
Event:
Intrusion detected
Description
An intrusion was attempted by an external
Additional condition:
Any intrusion
Actions will be executed when the selected conditions occur:
Choose options to
customize alert
action for the
event.
Number of occurrences before the alert is issued:
1
Number of events per second before the alert is issued:
0
Recurring actions are performed:
Immediately
After manual reset of alert
If time since last execution is more than
OK
minutes
Cancel
Apply
日志功能
• Configuring Logging
• Logging Packet Filter Activity
Configuring Logging
Firewall service Properties
Log
Click File to save
logs to a file by using
the W3C format or
ISA format.
Click Database to
save logs to an
ODBC database.
Fields
Log storage format:
File
Format:
W3C extended log file format
Create a new file:
Daily
Name:
FWSEXTDyyyymmdd.log
Options…
Database
ODBC data source (DSN):
db1
Table name:
Table1
Use this account:
Set Account…
Enable logging for this service
OK
Cancel
Apply
Logging Packet Filter Activity
DNS Block Properties
General Filter Type Local Computer Remote Computer
Name:
DNS Block
IP Packet Filters Properties
General
Mode:
Events
Intrusion Detection PPTP
Block packet transmission between specified IP
addresses, ports, and protocols
Use this page to configure packet filter properties.
Description
(optional):
Program
Enable filtering of IP fragments
Clear to prevent
logging blocked
packets.
Enable filtering IP options
Log packets from ‘Allow’ filters
Log any packets matching this filter
Select to log
allowed packets.
Enable this filter
OK
Cancel
Apply
OK
Cancel
Apply
ISA服务器的报表功能
• 内建的常用报表
– Summary
– Web usage
– App usage
– Traffic
– Security
…
• 以 HTML格式输出
• 可以自定义报表
Managing the Environment
Comprehensive Reporting Capabilities
Web-based report on top users
需求4:开放和可扩展的平台
•
•
•
•
•
•
开发自定义的应用过滤器
开发自定义的Web filters
所有管理模块提供COM编程接口
提供Cache 存储和检索的API
可扩展的UI (MMC)
提供SDK软件包
What is ISA server?
ISA Server 提供了企业级的
网络安全+阵列管理+加速器解决
方案
Firewall Product Comparison
Microsoft
ISA Server
Check Point
FW-1
Cisco PIX
Symantec
Raptor
NAI
Gauntlet
Packet Filtering
Stateless,
Stateful
Stateless, Stateful
Stateless,
Stateful
Stateless,
Stateful
Stateless,
Stateful
Network Address
Translation

+
+
+





Limited
Limited

+
Application Level
Proxy
Centralized Policy
Management
Integrated Web
Cache
Embedded
Intrusion Detection
Embedded VPN
Bandwidth
Management
Built-in Reporting

Limited
Limited


separate
separate
separate

Limited







separate
separate
separate
separate
Limited


+

separate
ISA的用户
• 制造业:BSH (owned by Bosch and Siemens, 3rd largest WW appliance
manufacturer)
– 37000 employees
– DMZ Firewall, Internal Firewall
– NSCP -> ISA: Reliability, performance, Authentication
• 能源工业:Shell
– 75,000 Win2k desktops running ISA firewall client
– 6 ISA servers be deployed on Win2k DC in 3 data centers around the
world.
– Evaluating ISA over Firewall-1
• 金融证券业:Celestial Asia Securities Holdings (Cash)
– Win over Firewall-1 for e-commerce scenario (publishing)
– Win over PIX for DMZ scenario (secure internet access)
• 教育业:University of Texas( 德州大学)
– ISA in production as Firewall – 10K users
ISA 的中国用户
• 金融:上海浦发银行
• 制造:贝尓中国有限公司
西门子中国有限公司
•
•
•
•
•
零售:左丹奴中国有限公司
运输:中国远洋运输有限公司
教育:上海浦东教育网, 重庆大学…
能源:深圳燃气集团
政府: 上海市政府
……