Transcript ISA Server - Microsoft

ISA Server
——北京微宏软件研究所
仲大勇
Email: [email protected]
ISA Server分两个版本
标准版和企业版
ISA Server
标准版
ISA Server
企业版
服务器配置 仅为独立服务 集中管理的多服
务器
器
策略级支持 本地
企业和阵列
硬件扩展限 4个CPU
制
无限制
安装前准备工作
• 1、网络是否畅通（Internet是否连通）
• 2、DNS解析是否正确
• 3、安装模式
Web缓存模式 防火墙模式 混合模式
• 4、如果在用Proxy2.0，是不是准备升
级为ISA Server2000
硬件要求
RAM
Windows 2000 Server,
Windows 2000 Advanced
Server, or
Windows Datacenter
256 MB
CPU
300 MHz
or higher
Hard Disk Space
Internal Adapter
20 MB
External Adapter
Active Directory
Hard Disk Format
NTFS
Arrays
安装步骤
•
•
•
•
•
•
安装序列号
安装选项
阵列选择 （企业）
安装模式
缓存配置
本地地址表配置 (LAT)
Microsoft ISA Server Status
Select the mode for this server:
Firewall mode
Select this option to install enterprise firewall
functionality.
选择安装模式
Cache mode
Select this option to install cache and Web hosting
functionality.
Cache mode installation is recommended only for computers
that are not directly connected to the Internet. If this
computer is directly connected to the Internet, install ISA
Server in integrated mode.
Integrated mode
Select this option to install integrated enterprise
firewall, cache, and Web hosting functionality.
Continue
Exit Setup
Help
Microsoft Internet Security and Acceleration Server Setup
Setup has stopped your IIS publishing service (W3SVC). After Setup is
complete, uninstall IIS or reconfigure all IIS sites not to use ports 80 and
8080.
OK
Help
Specifying the Initial Cache
Size
Microsoft Internet Security and Acceleration Server Setup
Specify the NTFS drives on which caches should be located
and the maximum size of each cache.
OK
Cancel
Initial cache size is
100 MB. Add 0.5 MB
for each Web Proxy
client.
Drive
[File System]
C:
[NTFS]
Maximum Size (MB)
100
Drive:
C: [NTFS]
Available space (MB)
28722
Cache size (MB):
Total cache size (MB):
100
100MB
Set
Help
Upgrading from Microsoft Proxy
Server2.0
Upgrading from
Microsoft
Windows NT
Publishing
Comparing
Proxy 2.0 and
ServerSOCKS
Rules
ISA Server
Configurations
Cache
Content
2.0
Winsock
Proxy Client
ISA Server 2000
Upgrade to Windows 2000
Proxy Server 2.0
SecureNAT
Client
2000
SOCKS
Rules
Proxy
Server 2.0
IPX
Protocol
Proxy
Server 2.0
ISA
Server
ISA
Server
Client
Requests
Port 80
Upgrading Client
Computers
Proxy Server 2.0
Winsock Proxy Clients
and Firewall Clients
ISA Server
Port
8080
安装出现的问题？？？
•
•
•
•
•
•
•
序列号输入正确。
ISA Server要求系统平台为Windows2000
Server 并要安装Server Pack1以上。
如果在安装前，已经运行了ICS（共享上
网），必须要先进行卸载或禁用
安装企业版，必须有对AD写的权限。
硬盘分区一定要为NTFS格式。
ISA Server不支持从Proxy1.0、
BackOffice4.0 or Small Business
Server4.0上直接升级
ISA Server不支持IPX协议
LAT(本地地址表配置 )说明
• LAT表格列出了ISA Server计算机后内
部网络使用的所有内部IP地址范围。
ISA Server利用LAT来控制内部网络的
机器如何与外部网络通信
配置服务器和客户端
Client Overview
Internet
SecureNAT Client
ISA Server
Web Proxy Client
Improve the performance of Web requests for
internal clients.
Do not require you to deploy client
software or configure client computers.
Firewall Client
Allow Internet access only for
authenticated users.
•
•
•
防火墙客户端： 安装并启用了防
火墙软件的客户端
安全网络地址转换客户端：尚未
安装防火墙客户端软件的客户机。
Web代理客户端：配置为ISA
Server的客户端Web应用程序。
设置 Web Proxy Clients
Local Area Network (LAN) Settings
Automatic configuration
Automatic configuration may override manual settings. To ensure
the use of manual settings, disable automatic configuration.
Automatically detect settings
2
Use automatic
configuration
script
Type
the IP address
or
1
Select the Use a
proxy server
check box.
name
of the ISA Server computer in
the Address box.
Proxy Server
3
Use a proxy server
Address:
192.168.0.3
Port: 8080
Bypass proxy server for local addresses
OK
Type the port
number in the Port
box, and then click
OK.
Cancel
ISA Server服务器
缓存模式
防火墙模式
2
Caching 原理
访问www.weihong.com
Internet
3
5
ISA Server
目标从 Internet 获得
目标从 cache 获得
Cache
1
访问 www.weihong.com
4
客户端 1
访问www.weihong.com
客户端 2
ISA Server Caching
Forward
Caching
Internal Network
Cache
Internet
Reverse
Caching
Web Server
Distributed
Caching
Cache
Internet
Cache
Internet
Internal Network
Cache
Cache
过滤和网络数据
Access Policy

HTTP 
All Destinations
Allow
Streaming
Media
Streaming
Media
SMTP
DNS Intrusion
External Network
SMTP

Firewall
Internal Network
Bastion Host
Internet
ISA Server
Internal Network
Enterprise Firewall
Perimeter Network
Internet
ISA Server
ISA Server
简单而强大管理界面
ISA Management
Action View
Large Icons
Tree
Small Icons
List
Detail
Taskpad
Advanced
Customize…
使用 ISA 管理单元
Getting Started
Welcome
Select policy elements
Configure Schedules
Configure Client Sets
Configure Protocol Rules
Configure Destination Sets
Configure Site and Content Rules
Secure Server
Configure Firewall Protection
Configure Dial-Up Entries
Configure Routing for Firewall and
SecureNAT Clients
Configure Routing for Web
Browser Applications
Configure Cache Policy
Welcome
Welcome to the Microsoft Internet Security and Acceleration (ISA)
Server Getting Started Wizard.
This wizard will assist you in finishing the setup process and help
you to define and configure initial ISA Server policies, to connect
and protect your internal network.
To navigate through the wizard, click Next.
To quit the wizard, click Finish.
Click the Help button for more information on specific tasks.
Exit the Getting Started
Wizard
Help
Management with tasks
Next
Finish
合理配置ISA Server
了解 Policy
Elements
创建
Schedules
New schedule
Name:
Lunch Hours and Weekends
Description:
Use this schedule to permit access to sites
lunch hours and weekends.
Set the activation times for rules that are based on this schedule.
12 · 2 · 4 · 6 · 8 · 10 · 12 · 2 · 4 · 6 · 8 · 10 · 12
Al
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Click Active to add
portions of the week, or
click Inactive to remove
portions of the week.
Sunday from 12 AM to 12 AM
Active
Inactive
OK
Cancel
创建 Bandwidth Priorities
New Bandwidth Priority
Name:
High Priority
Description
(optional):
Assigns high priority to incoming traffic.
Outbound bandwidth (1-200):
Inbound bandwidth (1-200):
New Bandwidth Priority
Name:
Basic Priority
Description
(optional):
Assigns high priority to incoming traffic.
30
OK
Cancel
Outbound bandwidth (1-200):
Inbound bandwidth (1-200):
20
OK
Cancel
创建 Client Address Sets
Client Set
Name:
Support Staff
Description
(optional):
Select the addresses of computers that belong to this client
address set.
Add/Edit IP Addresses
Client set IP addresses:
Members:
From
To
Add…
Edit…
OK
Remove
Cancel
From:
192 . 168 . 101 . 0
To:
192 . 168 . 101 . 255
OK
Cancel
创建 Protocol Definitions
Type a number
between between 1
and 65535 to
specify the port
number.
创建 Content Groups
ISA Management
Action View
Name
Tree
Internet Security and Acceleration Server
Servers and Arrays
WEIHONG
Monitoring
Computer
Access Policy
Publishing
Bandwidth Rules
Policy Elements
Schedules
Bandwidth Priorities
Destination Sets
Client Address Sets
Protocol Definitions
Application
Application Data Files
Audio
Compressed Files
Documents
HTML Documents
Images
Macro Documents
Text
Video
VRML
Description
Content Types
Applications
application/hta.application/x-internet-signup.application/x-pkcs7-certific
Files containing data for applications application/x-mscardfile.application/x-perform.application/x-msclip.appl
Audio files
audio.*,.ra,.ram,.rmi,.au,.snd,.aif,.aifc,.wav,.m3u,.mid,.mp3
Compressed Files
application/x-gzip,application/x-tar,application/x-gtar,application/x-com
Documents
text/tab-separated-values,text/xml,text/h323,application/postscript,appl
HTML Documents
text/webviewhtml,text/html,.htm,.html,.htt,.stm,.xsl
All known types of images
.cod,.cmx,.ief,.pbm,.pnm,.ppm,.gif,.bmp,.jfif,.jpe,.jpg,.jpeg,.ico,.pgm,.ras
Documents that may contain macr… application/msword,application/vnd.ms-excel,application/x-msaccess,a
Text content
.txt,.h,.c,.htc,.vcf,.etx,.uls,.css,.bas,.rtx,text/plain,text/x-component,text/
Video files
video/*,.asf,.asr,.asx,.avi,.ivf,.lsf,.lsx,.mov,.movie,.mlv,.mp2,.mpa,.mpe,.
VRML
x-world/x-vrml,.flr,.wrl,.wrz,.xaf,.xof
ISA Server includes several
preconfigured content groups.
LONDON Array Properties
Incoming Web Requests
General
Auto Discovery Performance
Security
Outgoing Web Requests
Identification
Use the same listener configuration for all internal IP addresses.
设置身份认证
的Web会话
Configure listeners individually per IP address
Server
IP Address Display N… Authentic…
WEIHONG <All internal
Integrated
Add…
TCP port:
8080
SSL port:
8443
Remove
Server C…
Edit…
Enable SSL listeners
Connections
Connection settings:
Ask unauthenticated users for identification
OK
Cancel
Configure…
Apply
配置身份认证
LONDON Array Properties
Incoming Web Requests
General
Auto Discovery Performance
Security
Outgoing Web Requests
Identification
Use the same listener configuration for all internal IP addresses.
Configure listeners individually per IP address
Server
IP Address Display N… Authentic…
WEIHONG <All internal
Integrated
Server C…
Add/Edit Listeners
Server:
WEIHONG
IP Address:
<All internal IP addresses>
Display Name:
Add…
TCP port:
8080
SSL port:
8443
Remove
Edit…
Select…
Authentication
Basic with this domain:
Enable SSL listeners
Connections
Connection settings:
Ask unauthenticated users for identification
Use a server certificate to authenticate to web clients
Select domain…
Digest with this domain:
Configure…
Select domain…
Integrated
Client certificate (secure channel only)
OK
OK
Cancel
Apply
Cancel
入 侵 检 测
入侵类型和警报
在ISA Management的IP数据包筛选属性对话框中启
动入侵检测，可以把ISA Server配置为能够检测6种
常见的网络攻击。启动入侵检测，ISA Server只要
检测到其中任何一种攻击，就会往Windows2000事
件日志中写信息。也可以配置ISA Server针对攻击
做出其他反应，例如：给管理员发电子邮件等。
配置报警
• ISA
Server包
括了45项
警报，其
中39项是
启用的。
警报条件
• 新警报
是以现
存警报
为基础
的，但
是它通
常还包
括必须
要满足
的附加
的、具
警报操作
•
•
•
•
满足警报操作：
1、发出一个电子邮件
2、运行特定的程序
3、在Windows2000事
件中记录事件
• 停止或者启动ISA
Server任何服务：防火
墙服务、Web代理服务、
定时内容下载服务
配置ISA Server缓存配置
Internet加速配置HTTP
• 配置http缓存
• 配置活动缓存
• 高级配置
配置 HTTP Caching
Cache Configuration Properties
Select to enable
HTTP caching.
General HTTP
FTP
Active Caching Advanced
Enable HTTP Caching
Unless source specifies expiration, update source:
Frequently (Expire immediately)
Normally
Less frequently (Reduced network traffic is important)
Set Time To Live (TTL) of object in cache to:
This percentage of content age
(Time since creation of modification):
20
No less than:
15
Minutes
No more than:
1
Days
Restore Defaults
OK
Cancel
Apply
配置
Active
Caching
Cache Configuration Properties
General HTTP
FTP
Active Caching Advanced
Active caching automatically retrieves frequently accessed files.
Enable active Caching
Retrieve files:
Select to create
an active
caching policy.
Frequently
(Client performance is more important)
Normally
(Client performance and reduced network traffic are equally
important)
Less frequently
(Reduced network traffic is more important)
Restore Defaults
OK
Cancel
Apply
配置 FTP Caching
Cache Configuration Properties
General HTTP
FTP
Active Caching Advanced
Enable FTP caching
Specify a time for FTP
objects to remain in the
cache.
Time to Live for all objects:
1440
Minutes
Restore Defaults
OK
Cancel
Apply
配置 Advanced Cache Settings
Cache Configuration Properties
General HTTP
Select to configure
cache settings for
specific objects.
FTP
Active Caching Advanced
Do not cache objects larger than:
1
KB
Cache objects that have an unspecified last modification time
Cache objects even if they do not have an HTTP status code of 200
Cache dynamic content (objects with question marks in the URL)
Maximum size of URL cached in memory (bytes):
12800
If Web site of expired object cannot be reached:
Do not return the expired object (return an error page)
Return the expired object only if expiration was:
At less that this percentage of original Time
to Live:
But no more than (minutes):
50
Percentage of available memory to use for caching:
50
60
Restore Defaults
OK
Cancel
Apply
LONDON Properties
调整
Cache Size
Cache Drives
LONDON
Drive
Type
Disk space…
Maximum cache size (MB):
Free space… Cache Size…
Total disk space (MB):
Specify the size
of the cache.
Set
100
39064
urlcache
Total maximum cache size (MB):
100 View Favorites Tools Help
File Edit
Back
Search Folders
Address
History
Go
urlcache
OK
Cancel
urlcache
Apply
Name
dir1
dir1
Size Type
Modified
File Folder
9/6/2000 9:43 PM
100,800 KB Microsoft ISA Server Cache File 9/18/2000 9:28 PM
Select an item to view its
description
See also:
My Documents
My Network Places
2 object(s)
The .cdat file on the drive will
be the same size as the cache.
98.4 MB
My Computer
配置VPN
• Local ISA Server VPN Configuration
• Remote ISA Server VPN
Configuration
Connecting Remote Users
to a Corporate Network
Corporate Network
ISA Server
Computer
Internet
VPN Tunnel
Remote User
Connecting Remote Networks
to a Local Network
Local Network
ISA Server
Computer
Internet
VPN Tunnel
ISA Server
Computer
Remote Network
Configuring a VPN to Accept Client
Connections
ISA VPN Server Wizard
ISA Virtual Private Network (VPN) Server Summary
ISA Virtual Private Network (VPN) Server can accept VPN connections from
remote clients over the Internet.
The Server will be configured with the properties listed below:
Lists the
configuration
properties set by
the wizard.
Configure Routing and Remote Access Server as Virtual Private Network (VPN)
Enforce secured authentication and encryption methods.
Open static packet filters for allowing PPTP and L2TP over IPSEC protocols.
The number of ports available for clients to connect is 128, but this number can be
< Back
Next >
设置VPN
服务器发布
Publishing Overview
Internal Network
External Adapter
Internet
131.107.3.1
Internal Adapter
192.168.9.1
Web Server
www.nwtraders.msft
发布 一
发布二
• 注意：对
于阵列成
员，如果
企业策略
设置配置
为不允许
发布，那
么将不能
创建服务
器发布规
则。
加密发布
H.323协议
• H.323协议是国际电信联盟为满足不同
环境下的视频会议的需要而提出的一组
标准。
• H.323标准为以网络通信为基础的会议
系统定义了4个重要组成部分：
终端、网关、看门人（Gatekeeper）
和多点控制单元（MCU）
H.323 Gatekeeper 工作原理
DNS
SRV
_Q931_tcp.contoso.msft
24.0.0.10
SRV
_Q931_tcp.nwtraders.msft
136.0.0.1
3
Gatekeeper
24.0.0.10
2
Internet
4
5
[email protected]
10.0.0.9
ISA H.323 Gateway
136.0.0.1
[email protected]
192.168.0.10
1
Origination Endpoint
Destination Endpoint
加载和配置 an H.323 Gatekeeper
ISA Management
Action View
Add gatekeeper…
View
Gatekeeper
 celeration Server
Help
Monitoring
Server
Access Policy
Publishing
Bandwidth Rules
Policy Elements
Cache Configuration
Monitoring Configuration
Extensions
Application Filters
Web Filters
Network Configuration
Client Configuration
H323 Gatekeepers
Status
LONDON
Normal
Add Gatekeeper
Select a computer running H.323 Gatekeeper that you want to add
Gatekeeper computer:
This computer
Another computer
OK
Cancel
Description
在ISA Management中管
理日志
服务日志属性的Log选项卡
服务日志属性的Fields选项
卡
记录到日志位置
控制带宽
附加调解和监视工具
• 调节
ISA
Server
性能
ISA Server性能对象和计
数器
十个问题？？？
1.安全网络地址转换客户端无法连接到Internet （配置错误）
2.安全网络地址转换连接在客户端制定IP地址而不是指定计算机名
称的工作 （DNS错误）
3.拨出到Internet失败，因为该拨号连接正在使用（可能另一个计
算机在使用）
4.拨号断开 （重新启动ISA Server）
5.Web代理服务无法启动（缓存内容受损）
6.客户端不能使用制定的协议，如：HTTP、RealAudio或其它协议
（创建筛选器，并检查有没有其他协议进行阻塞）
• 7.禁用一个协议以后，客户端仍可以使用规则允许的指定协议
（断开客户会话）
8.尽管已经配置协议规则允许访问，客户端仍然无法使用制定协
议。
（启动程序筛选器）
9.安装全部完成后，服务不能启动（LAT配置不正确）
10.外部客户不能通过运行Microsoft Exchange Server的计算机
发送Email。该Exchange Server位于ISA Server后且被配置为
安全网络地址转换客户端。（检查已配置了服务器发布规则，以
便外部接口在用于SMTP通信端口35，在用于POP3通信的断口
110把所有通信传递到正确的IP地址和内部Exchange Server的
端口）
排除故障的步骤
• 1.使用ISA Server报告
• 2.查看ISA Server服务生成的事件消息
• 3.查看配置、硬件和网络使用情况
Microsoft ISA Server
Check Point FW-1
集成化的安全模型
同现有的Active Directory安全模
型以及用户和用户组透明集成（例
如，无需额外的登录过程）。
必须使用第三方身份验证服务器
创建用户和用户组帐户，防火墙
的身份验证需要使用额外的登录
屏幕。
应用层过滤
能够检测和阻止发生在应用层的攻
击，例如缓冲区溢出、蠕虫病毒以
及其它恶意请求。
无此功能。只能在网络层对数据
包的状态进行检查。
容错和负载平衡
可以在作为一个阵列进行管理的所
有ISA Server服务器上实施透明的
故障恢复和负载平衡。
需要购买昂贵的附加程序实现此
功能。
安全的服务器发布过程
允许ISA Server充当一个安全应用
程序网关，从而避免了外部用户直
接同受保护的服务器进行通信。
无此功能
入侵检测
检查和（或）阻止常见的数据包层、 可以通过额外购买来自ISS的
RealSecure产品获得入侵检测功
网络层和应用层攻击，例如：端口
扫描、死亡之ping以及WinNuke
能。
（由ISS编写）。
功能
安全性和可靠性
管理
报告和报警
自动生成各种关键报告。在发生安
具有简单的报警功能，但是报告
全性报警或其它类型的报警时，
模块是一个附加产品，必须单独
ISA Server可以自动采取相应操作。 购买。
Microsoft ISA Server
Cisco PIX
集成化的安全模型
同现有的Active Directory安
全模型以及用户和用户组透明
集成（例如，无需额外的登录
过程）。
不支持基于Windows的身份验
证模式或协议。
应用层过滤
能够检测和阻止发生在应用层
的攻击，例如缓冲区溢出、蠕
虫病毒以及其它恶意请求。
不进行应用层检查，只进行数
据包层的状态检查。不能检测
到应用层的复杂攻击。
容错和负载平衡
可以在作为一个阵列进行管理
需要购买昂贵的附加程序实现
的所有ISA Server服务器上实 此功能。
施透明的故障恢复和负载平衡。
入侵检测
检查和（或）阻止常见的数据
只能检测网络层的入侵尝试，
包层、网络层和应用层攻击，
不能检测到应用层的恶意入侵
例如：端口扫描、死亡之ping
企图
以及WinNuke（由ISS编写）。
功能
安全性和可靠性
性能
集成化的高性能缓存引擎
通过重新使用频繁访问的Web
内容改善了系统性能。
不支持缓存。必须单独购买一
个单独的缓存产品。
带宽优先级
允许ISA Server为某些特定的
请求赋予给高的优先权，从而
确保紧急任务和需要高带宽的
关键任务的运行，例如流媒体
就可以获得较高的优先级。
需要购买一个附加产品才能获
得此功能。
THANKS