How To Protect Your Network Using ISA Server

Download Report

Transcript How To Protect Your Network Using ISA Server 

How To Protect
Your Network Using
ISA Server
邹方波
微软认证讲师
广州嘉为计算机网络教育中心
What We Will Cover






The functionality of ISA Server 2000
Migrating to ISA Server 2000
How to configure ISA server for
caching and proxying
How to publish servers
How to configure ISA to support
Exchange 2000
Where to position ISA server in
your environment
Session Prerequisites

This session assumes that
you have




Knowledge of proxy server
Knowledge of firewall software
TCP/IP fundamentals
This is a level 200 session
Agenda






What is ISA Server 2000
Configuring caching
Configuring the firewall
Server publishing
Applications filters
Positioning ISA
What Is ISA Server 2000


Firewall and cache server
ISA Server Editions


ISA Server Standard Edition
ISA Server Enterprise Edition
What Is ISA Server 2000
Comparing the Editions
Standard Edition
Enterprise
Edition
No array support
Unlimited hardware
scalability
Enterprise and array
policies
Local policies only
4 CPU limit
No CPU limit
Limited Active Directory Full Active Directory
integration
integration
What Is ISA Server 2000
ISA requirements
Processor
300 MHz or higher Pentium II
compatible
Operating System
Microsoft Windows 2000 Server or
Advanced Server with SP2 or higher
256 MB of RAM
Memory
Hard Disk



Other
20 MB of available hard drive space
An available NTFS partition
4-8 MB for each proxy client
To implement the array and advanced
configuration policies on the Enterprise
edition you also need
Windows Active Directory on
the network
What Is ISA Server 2000
Migrating from Proxy 2.0

Proxy 2.0 on Windows NT® 4.0





Stop Proxy services
Upgrade to Windows® 2000
Install Service Pack 2
Install ISA Server
Proxy 2.0 on Windows 2000



Stop Proxy services
Install Service Pack 2
Install ISA Server
What Is ISA Server 2000
What migrates?

Settings that migrate






Proxy server rules
Network settings
Monitoring configuration (alerts)
Cache configuration
Publishing
Settings that do not migrate


Old cache is deleted
SOCKS rules
Agenda






What is ISA Server 2000
Configuring caching
Configuring the firewall
Server publishing
Applications filters
Positioning ISA
Configuring Caching
Business scenario
Internet
ISA
Clients
Configuring Caching
Allowing Internet access

4 simple steps




Verify LAT
Create a protocol access rule
Turn on HTTP and FTP Caching*
Define Proxy setting on all clients
*enabled by default
Configuring Caching
Cache expiration

Frequently


Normally


Cache is somewhat current, network
performance is considered
Less frequently


Cache is kept current, network
performance may be degraded
Cache is less current, network
performance is not degraded
Custom settings
Configuring Caching
Active caching

Enables ISA to fetch a new version
of cached objects

Frequently


Normally


Cache is kept current, network
performance is degraded
Network performance is considered
when updating the cache
Less Frequently

Cache is less current, network
performance is not degraded
Configuring Caching
Advanced cache settings

Allows control over what
content is cached




Size of objects to cache
Dynamic content
Maximum URL cached in memory
Control what action to take with
expired cache objects

Return an error
-or-

Return expired object
Configuring Caching
Adjusting cache size
LONDON Properties

Cache Drives
LONDON
Drive
Type
Disk space…
Maximum cache size (MB):
Free space…
Set
100
Total disk space (MB):
39064
Total maximum cache size (MB):
100
OK
Cache Size…
Cancel
Apply
Properties of server
 Creates a .cdat file
of equivalent size
 4-8 MB for
each client
Specify the size
of the cache
Demonstration 1
Configure Caching
Enabling HTTP and FTP caching
Examining cache configuration
Allowing Internet access
Agenda






What is ISA Server 2000
Configuring caching
Configuring the firewall
Server publishing
Applications filters
Positioning ISA
Configuring The Firewall
Business scenario
Internet
ISA
Clients
ISA
Clients
Configuring The Firewall
The many sides of ISA

Web proxy service


Firewall service – Proxy


Handles HTTP/HTTPS and
FTP traffic
Handles TCP and UDP protocols
Firewall service – Routing

All other protocols (ex., ICMP)
Configuring The Firewall
Allowing network applications


Protocol definitions
Create a protocol rule
Start
Name the Rule
Specify the Rule Action
Select the Protocol(s)
Select a Schedule
Select a Client Type
Finish
Demonstration 2
Protocol Rules
Review protocol definitions
Create a protocol rule
Allow access to the MSN®
Messenger Service
Agenda






What is ISA Server 2000
Configuring caching
Configuring the firewall
Server publishing
Applications filters
Positioning ISA
Server Publishing
The many sides of ISA

Web proxy service


Firewall service – Proxy


Handles HTTP/HTTPS and
FTP traffic
Handles TCP and UDP protocols
Firewall service – Routing

All other protocols (ex., ICMP)
Server Publishing
Packet filtering


Allows you to control which packets can
pass through the firewall
You can filter based on



Source IP address and/or port
Destination IP address and/or port
IP options
IP routing


Routes packets from the internal network
to the Internet
Required for protocols other than TCP
or UDP
Server Publishing
What is it?

Make internal servers available
Perimeter Network
to the Internet
SMTP
IIS
Internet
ISA
Server Publishing
The steps

Steps required




Enable packet filtering and
IP routing
Configure listeners
Create a destination set
Create a server publishing rule
Server Publishing
Listeners



Listen for incoming HTTP and
SSL requests
Without listeners ISA discards all
incoming requests
Authentication




Certificates
Integrated
Digest
Basic (clear text)
Server Publishing
Destination sets


Specifies external client endpoints
Redirect sections of your Web site
www.nwtraders.msft/africa
www.nwtraders.msft/europe
Internet
ISA Server
Europe
europe.internal.nwtraders.msft
Africa
africa.internal.nwtraders.msft
Internal Network
Server Publishing
Server publishing rules




Redirect to an internal server
Redirect to different ports
Redirect HTTP to HTTPS
Processing occurs top to bottom
Demonstration 3
Server Publishing
Enable listeners
Create a destination set
Publish a Web Server
Agenda






What is ISA Server 2000
Configuring caching
Configuring the firewall
Server publishing
Applications filters
Positioning ISA
Application Filters
The many different types









DNS intrusion detection filter
FTP access filter
H.323 filter
HTTP redirector filter
POP intrusion detection filter
RPC filter
SMTP filter
SOCKS V4 filter
Streaming media filter
Application Filters
HTTP redirector filter

Advantages




Forwards HTTP requests to the
Web Proxy service
Clients do not have to configure
their Web browser
Site and content rules apply to
firewall and SecureNAT clients
Disadvantages

User authentication is lost
Application Filters
HTTP redirector filter options

Redirect to local Web Proxy
service



If unavailable redirect to
requested Web server
Send to requested Web server
Reject HTTP requests from
firewall and SecureNAT clients
Application Filters
SMTP filter
Internet
ISA
Exchange
Application Filters
Features






Block specific SMTP commands
Block SMTP buffer
overflow attacks
Filter mail based on keywords
Block attachments such as .cmd
Limit attachment size
Block mail from certain
users/domains
Application Filters
How the SMTP Filter Operates
Internet
ISA
Exchange
Application Filters
Configuring the SMTP filter

Requirements






Install Internet Information Server 5.0
with SMTP service
Forward all mail to internal mail server
Install the Message Screener
Run SMTPCred.exe*
Publish the SMTP Server
Configure and Enable the filter
*If the SMTP Server is not on the same machine as the ISA server
Demonstration 4
SMTP Filter
Installing the Message Screener
Configuring the Message Screener
Agenda






What is ISA Server 2000
Configuring caching
Configuring the firewall
Server publishing
Applications filters
Positioning ISA
Positioning ISA
Scenarios



Small network
Branch office
Publishing services
Positioning ISA
Small network


Single location
Operating in
integrated mode
firewall/proxy
ISA
Clients
Positioning ISA
Branch office(s)



Multiple locations
ISA Servers in an array
Access rules
managed
centrally
ISA
Clients
ISA
Corporate Office
Clients
Branch Office
Positioning ISA
Publishing services


Secures published servers
Secures the internal network
Perimeter Network
FTP
Internet
ISA
IIS
Internal Network
Clients
Positioning ISA
Publishing services 2


Secures published servers
Offers maximum protection for
internal network
Perimeter Network
FTP
Internal Network
IIS
Clients
Internet
ISA
ISA
Session Summary



Simplified proxy setup
Powerful firewall with easy
administration
Extensible
For More Information


Refer to the TechNet Web site
at www.microsoft.com/technet
See Microsoft® official
curriculum at
www.microsoft.com/train_cert

Course #2159 Deploying
and Managing Microsoft
Internet Security and
Acceleration Server 2000
For More Information


Microsoft’s ISA Server
homepage
http://www.microsoft.com/isa
ISA Server.org
http://www.isaserver.org
Training
Training resources for IT professionals



Deploying and Managing Microsoft Internet
Security and Acceleration Server
 Course # 2159
 Available: Now
To locate a training provider for this course,
please access
mcspreferral.microsoft.com/default.asp
Microsoft Certified Technical Education
Centers (CTECs) are Microsoft’s premier
partners for training services