Book Description Dr. Tom Shinder’s ISA Server 2006 Migration Guide provides a clear, concise, and thorough path to migrate from previous versions of ISA Server to ISA Server 2006. ISA Server 2006 is an incremental upgrade from ISA Server 2004, this book provides all of the tips and tricks to perform a successful migration, rather than rehash all of the features which were rolled out in ISA Server 2004. Also, learn to publish Exchange Server 2007 with ISA 2006 and to build a DMZ. * Highlights key issues for migrating from previous versions of ISA Server to ISA Server 2006. * Learn to Publish Exchange Server 2007 Using ISA Server 2006. * Create a DMZ using ISA Server 2006.Dr. Tom Shinder’s previous two books on configuring ISA Server have sold more than 50,000 units worldwide. Dr. Tom Shinder is a Microsoft Most Valuable Professional (MVP) for ISA Server and a member of the ISA Server beta testing team. Show and hide more
Table of Contents
Copyright Lead Authors Contributing Authors Introduction What’s New in ISA 2006 Firewalls 1. Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief The Intrusion Triangle Removing Intrusion Opportunities Security Terminology Addressing Security Objectives Controlling Physical Access Physical Access Factors Protecting the Servers Keeping Workstations Secure Protecting Network Devices Securing the Cable Safely Going Wireless Have Laptop, Will Travel The Paper Chase Removable Storage Risks Physical Security Summary Preventing Accidental Compromise of Data Know Your Users Educate Your Users Control Your Users Preventing Intentional Internal Security Breaches Hiring and Human Resource Policies Detecting Internal Breaches Preventing Intentional Internal Breaches Preventing Unauthorized External Intrusions External Intruders with Internal Access Tactical Planning Recognizing Network Security Threats Understanding Intruder Motivations Recreational Hackers Profit-motivated Hackers Vengeful Hackers Hybrid Hackers Classifying Specific Types of Attacks Social engineering attacks What is social engineering? Protecting your network against social engineers Denial of Service (DOS) Attacks Distributed Denial of Service attacks DNS DOS attack SYN attack/LAND attack Ping of Death Teardrop Ping Flood (ICMP flood) SMURF attack UDP bomb or UDP flood UDP Snork attack WinNuke (Windows out-of-band attack) Mail bomb attack Scanning and Spoofing Port scan IP half scan attack IP Spoofing Source Routing attack Other protocol exploits System and software exploits Trojans, viruses and worms Trojans Viruses Worms Designing a Comprehensive Security Plan Evaluating Security Needs Assessing the type of business Assessing the type of data Assessing the network connections Assessing management philosophy Understanding management models Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Responsibility for Developing the Security Plan and Policies Responsibility for Implementing and Enforcing the Security Plan and Policies Designing the Corporate Security Policy Developing an Effective Password Policy Password Length and Complexity Who creates the password? Password Change Policy Summary of Best Password Practices Educating Network Users on Security Issues Summary 2. ISA Server 2006 Client Types and Automating Client Provisioning Introduction Understanding ISA Server 2006 Client Types Understanding the ISA Server 2006 SecureNAT Client SecureNAT Client Limitations SecureNAT Client Advantages Name Resolution for SecureNAT Clients Name Resolution and “Looping Back” Through the ISA Server 2006 Firewall Understanding the ISA Server 2006 Firewall Client Allows Strong User/Group-Based Authentication for All Winsock Applications Using TCP and UDP Protocols Allows User and Application Information to be Recorded in the ISA Server 2006 Firewall’s Log Files Provides Enhanced Support for Network Applications, Including Complex Protocols That Require Secondary Connections Provides “Proxy” DNS Support for Firewall Client Machines The Network Routing Infrastructure Is Transparent to the Firewall Client How the Firewall Client Works Installing the Firewall Client Share Installing the Firewall Client Firewall Client Configuration Centralized Configuration Options at the ISA Server 2006 Firewall Computer Enabling Support for Legacy Firewall Client/Winsock Proxy Clients Client Side Firewall Client Settings Firewall Client Configuration Files .ini Files Advanced Firewall Client Settings Firewall Client Configuration at the ISA Server 2006 Firewall ISA Server 2006 Web Proxy Client Improved Performance for the Firewall Client and SecureNAT Client Configuration for Web Access Ability to Use the Autoconfiguration Script to Bypass Sites Using Direct Access Allows You to Provide Web Access (HTTP/HTTPS/FTP Download) without Enabling Users Access to Other Protocols Allows You to Enforce User/Group-based Access Controls Over Web Access Allows you to Limit the Number of Outbound Web Proxy Client Connections Supports Web Proxy Chaining, Which Can Further Speed Up Internet Access ISA Server 2006 Multiple Client Type Configuration Deciding on an ISA Server 2006 Client Type Automating ISA Server 2006 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Install the DHCP Server Create the DHCP scope Create the DHCP 252 Scope Option and Add It to the Scope Configure the Client as a DHCP Client Configure the Client Browser to Use DCHP for Autodiscovery Configure the ISA Server 2006 Firewall to Publish Autodiscovery Information Making the Connection Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Creating the wpad Entry in DNS Configure the Client to Use the Fully-Qualified wpad Alias Configure the client browser to use autodiscovery Configure the ISA Server 2006 Firewall to Publish Autodiscovery Information Making the Connection Using DNS for Autodiscovery Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) One More Time 3. Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall’s Network Interfaces Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall’s Network Interfaces IP Address and DNS Server Assignment Configuring the Internal Network Interface Configuring the External Network Interface Network Interface Order Installing and Configuring a DNS Server on the ISA Server Firewall Installing the DNS Service Installing the DNS Server Service on Windows Server 2003 Configuring the DNS Service on the ISA Firewall Configuring the DNS Service in Windows Server 2003 Configuring the DNS Service on the Internal Network DNS Server Installing and Configuring a DHCP Server on the ISA Server Firewall Installing the DHCP Service Installing the DHCP Server Service on a Windows Server 2003 Computer Configuring the DHCP Service Installing and Configuring the ISA Server 2006 Software Configuring the ISA Firewall DHCP Request to Server Rule DHCP Reply from Server Rule Internal DNS Server to DNS Forwarder Rule Internal Network to DNS Server The All Open Rule Configuring the Internal Network Computers Configuring Internal Clients as DHCP Clients Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall ISA Firewall Administrative Roles and Permissions Lockdown Mode Lockdown Mode Functionality Connection Limits DHCP Spoof Attack Prevention One More Time 4. Creating and Using ISA 2006 Firewall Access Policy ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects Configuring Access Rules for Outbound Access through the ISA Firewall The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The General Tab The Action Tab The Protocols Tab The From Tab The To Tab The Users Tab The Schedule Tab The Content Types Tab The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Allowing Intradomain Communications through the ISA Firewall One More Time 5. Publishing Network Services with ISA 2006 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Proxied Access to Web Sites Protected by the ISA firewall Deep Application-Layer Inspection of Connections Made to Published Web Sites Path Redirection URL rewriting with ISA’s Link Translation Ability to Publish Multiple Web Sites with a Single IP Address Pre-authentication of requests, and Authentication Delegation to the published Site Single Sign-On (SSO) for Published Web Sites Support for SecurID Authentication Support for RADIUS Authentication Reverse Caching of Published Web Sites Support for Forwarding either the ISA Firewall’s IP Address, or the Original Web Client’s IP Address to the Web Site Ability to Schedule when Connections are Allowed to Published Web Sites Port and Protocol Redirection Server Publishing Rules Server Publishing Rules are a Form of Reverse NAT, sometimes referred to as “Port Mapping” or “Port forwarding” and do not Proxy the Connection Almost All IP Level and TCP/UDP Protocols can be Published using Server Publishing Rules Server Publishing Rules do not Support Authentication on the ISA Server Application-Layer Filtering can be Applied to a Defined Subset of Server Published Protocols You can Configure Port Overrides to Customize the Listening Ports and the Port Redirection. You can also Lock Down the Source Ports the Requesting Clients use to Connect to the Published Server You can lock down who can Access Published Resources using IP addresses The External Client Source IP Address can be Preserved or it can be Replaced with the ISA Firewall’s IP address Restrict connections to specific days and times Support for Port Redirection or PAT (Port Address Translation) Creating and Configuring Non-SSL Web Publishing Rules The Select Rule Action Page The Publishing Type Page The Server Connection Security Page The Internal Publishing Details Page (Part one) The Internal Publishing Details Page (Part two) The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The Web Listener IP Addresses Page The Authentication Settings Page The Single Sign on Settings Page The LDAP Settings Page The RADIUS Settings Page SecurID Settings The Authentication Delegation Page The User Sets Page Creating and Configuring SSL Web Publishing Rules SSL Bridging SSL “Tunneling” versus SSL “Bridging” What about SSL-to-HTTP Bridging? Enterprise and Standalone Certificate Authorities SSL-to-SSL Bridging and Web Site Certificate Configuration Importing Web Site Certificates into the ISA Firewall’s Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule The Internal Publishing Details Pages The Public Name Details Page The Server Connection Security Page The Client Connection Security Page ISA 2004’s Bridging Mode Page and ISA 2006 Configuring Advanced Web Listener Properties The General Tab The Networks Tab The Connections Tab The Connections – Advanced Dialog The Certificates Tab The Certificates – Advanced Dialog The Authentication Tab Advanced Authentication Options Dialog Box The Forms Tab The Forms – Advanced Dialog The SSO Tab The Web Publishing Rule Properties Dialog Box The General Tab Action From To Traffic Listener Public Name Paths Bridging Users Schedule Link Translation Authentication Delegation Application Settings Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Client Access: RPC, IMAP, POP3, SMTP Option Publishing Exchange Web Client Access One More Time 6. Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections An Improved Site-to-Site Wizard (New ISA 2006 feature) The Create Answer File Wizard (New ISA 2006 Feature) The Branch Office Connectivity Wizard (New ISA 2006 feature) The Site-to-Site Summary (New ISA 2006 Feature) Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Creating a Remote Access L2TP/IPSec Server Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office The Network Rule at the Main Office The Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office The Network Rule at the Branch Office The Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Creating an L2TP/IPSec Site-to-Site VPN Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and Install a Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Certificate for the Branch Office Firewall Configure the Branch Office ISA Firewall to use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Summary 7. ISA 2006 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) Overview of HTTP Security Filter Settings The General Tab The Methods Tab The Extensions Tab The Headers Tab The Signatures Tab HTTP Security Filter Logging Exporting and Importing HTTP Security Filter Settings Exporting an HTTP Policy from a Web Publishing Rule Importing an HTTP Policy into a Web Publishing Rule Investigating HTTP Headers for Potentially Dangerous Applications Example HTTP Security Filter Policies Commonly Blocked Headers and Application Signatures The ISA Server Link Translator Determining Custom Dictionary Entries Configuring Custom Link Translation Dictionary Entries The Web Proxy Filter The OWA Forms-Based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Source Routing Attack Summary 8. Accelerating Web Performance with ISA 2006 Caching Capabilities Understanding Caching Concepts Web Caching Types Forward Caching Reverse Caching How Reverse Caching Reduces Bandwidth Usage How Reverse Caching Increases Availability of Web Content Web Caching Architectures Web Caching Protocols Understanding ISA 2006’s Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Using Cache Rules to Specify Content Types That Can Be Cached Using Cache Rules to Specify How Objects are Retrieved and Served from Cache Understanding the Content Download Feature Configuring ISA 2006 as a Caching Firewall Enabling and Configuring Caching How to Enable Caching in Enterprise Edition How to Enable Caching in Standard Edition How to Disable Caching in Enterprise Edition How to Disable Caching in Standard Edition How to Configure Properties Configuring Which Content to Cache Configuring the Maximum Size of Objects in the Cache Configuring Whether Expired Objects Should be Returned from Cache Allocating a Percentage of Memory to Caching Creating Cache Rules How to Create a Cache Rule How to Modify an Existing Cache Rule How to Disable or Delete a Cache Rule How to Change the Order of Cache Rules How to Copy a Cache Rule How to Export and Import Cache Rules Configuring Content Downloads How to Ensure a Content Download Job Can Run Configuring the Local Host Network Enabling the System Policy Rules Running the Job Scheduler Service How to Create and Configure Scheduled Content Download Jobs How to Make Changes to an Existing Content Download Job How to Disable or Delete Content Download Jobs How to Export and Import Content Download Job Configurations How to Run a Content Download Job Immediately Summary 9. Using ISA Firewall 2006’s Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA 2006 Dashboard Dashboard Sections Dashboard Connectivity Section Dashboard Services Section Dashboard Reports Section Dashboard Alerts Section Dashboard Sessions Section Dashboard System Performance Section Configuring and Customizing the Dashboard Creating and Configuring ISA 2006 Alerts Alert-Triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Alerts that have been Triggered Monitoring ISA 2006 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Creating Connectivity Verifiers Monitoring Connectivity Monitoring Sessions Viewing, Stopping and Pausing Monitoring of Sessions Monitoring Specific Sessions Using Filter Definitions Disconnecting Sessions Exporting and Importing Filter Definitions Monitoring Services Working with ISA Firewall Logs and Reports Understanding ISA Firewall Logs Log Types Logging to an MSDE Database Logging to a SQL Server Logging to a File How to Configure Logging Configuring MSDE Database Logging Configuring Logging to a File Configuring Logging to a SQL Database How to Use the Log Viewer How to Filter the Log Information Saving Log Viewer Data to a File Exporting and Importing Filter Definitions Generating, Viewing, and Publishing Reports with ISA 2006 How to Generate a One-Time Report How to Configure an Automated Report Job Other Report Tasks How to View Reports Publishing Reports Using the ISA Firewall’s Performance Monitor Recommended Performance Counters ISA Firewall 2004 Upgrade Considerations Preserving Log Files Prior to Upgrade File Logging MSDE Logging SQL Logging Preserving SQL Logging Options Prior to Upgrade