Working with Microsoft ISA Server SkillSoft Corporation. (c) 2006.

Transcription

1 Working with Microsoft ISA Server 2004 SkillSoft Corporation. (c) 2006.

2 Introduction

3 About the Book ISA Server 2004 provides secure, fast, and controllable Internet connectivity. ISA Server 2004 provides various ISA Server services, such as Job Scheduler and Firewall, to implement security on the network. ISA Server provides a service called the Web cache solution. The Web cache stores the Web content, which a client requests from the Web server, locally on the ISA Server computer and sends the information to the client. ISA Server provides another complementary service called the organizational firewall solution that prevents unauthorized Internet users from accessing your organizational network.

4 About the Author Chitrank Gautam Chitrank Gautam holds a Bachelor's degree in Computer Science Engineering. He is proficient in languages such as C, C++, C#, Visual Basic.NET, and Java. He has a sound knowledge of databases, such as SQL Server and Oracle. He has also worked on Internet technologies, such as HTML and ASP.NET. He has authored books and refrencepoints on.net technologies.

5 Credits I would like to thank Sushmita Chakraborty and Shruti Gupta for helping me complete the book on time and providing continuous support and encouragement.

6 Copyright Working with Microsoft ISA Server 2004 Copyright 2006 by SkillSoft Corporation All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of SkillSoft. Trademarked names may appear in this publication. Rather than use a trademark symbol with every occurrence of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. Published by SkillSoft Corporation 20 Industrial Park Drive Nashua, NH (603) information@skillsoft.com The information in this book is distributed on an "as is" basis, without warranty. Although every precaution has been taken in the preparation of this work, neither the author nor SkillSoft shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in this work.

7 Chapter 1: Overview of Internet Security and Acceleration Server 2004 Microsoft Internet Security and Acceleration (ISA) Server 2004 helps secure an Internet connection and also improves the performance of Internet access. ISA Server provides various ISA Server services, such as Job Scheduler and Firewall, to implement security on the network. It also provides features, such as monitoring and Virtual Private Networks (VPN), to manage the Internet connection. ISA Server also allows you to define rules to secure the network and protect it from unauthorized access. This chapter provides an overview of ISA Server 2004, and explains its various features. It also explains the differences between the Standard and Enterprise versions of the software.

8 Introducing ISA Server 2004 ISA Server 2004 provides the firewall solution to secure the network of your organization. An organizational firewall solution is useful for preventing the unauthorized Internet users from accessing the organizational network. ISA Server also provides a Web cache solution to provide fast access to the Internet. A Web cache fills requests from the Web server, stores the requested information locally, and sends the information to the client. When the Web cache receives a request for the same information again, it does not search the requested information on the Internet. Instead, the Web cache returns the requested information from the cached data. This reduces network traffic and the response time for Web access. In addition, ISA Server 2004 helps implement business policies to secure the network. These business policies can be implemented by configuring the rules that specify the Web sites, protocols, and information that can be passed through an ISA Server 2004 computer. ISA Server 2004 Architecture ISA Server 2004 contains various communication layers to secure the organizational network. The communication layers inspect the incoming and outgoing requests through ISA Server to ensure secure communication among the networks. The communication layers are: Packet filtering: Inspects the incoming and outgoing packets on a network to secure the network. The data is first passed to the packet filtering layer, which determines the packets that can pass through ISA Server. Firewall service: Protects the network from unauthorized users. The data is passed to the Firewall service layer after the packet filtering layer. Web proxy: Processes ISA Server 2004 rules and determines whether or not a HTTP request should be processed. Figure 1 1 shows the architecture of ISA Server 2004:

9 Figure 1 1: The ISA Server 2004 Architecture The components of the ISA Server 2004 architecture are: Network Address Translation (NAT) driver: Performs the network address translation process, which helps send and receive information by translating IP addresses of the client computers. Application filters: Allow you to use third party filters, such as Surfcontrol Web Filter and GFI Web Monitor, to extend the Firewall service. The Simple Mail Transfer Protocol (SMTP) and FTP filters are some examples of application filters. Clients: Represent the end user computers that access ISA Server ISA Server supports three types of clients: Firewall clients: Are client computers with the Firewall Client software installed. The Firewall clients use the Firewall service to access ISA Server. SecureNAT clients: Are client computers that do not have Firewall Client software installed. SecureNAT clients use the Firewall service to access ISA Server. Web Proxy clients: Are computers on which Web applications are configured to use ISA Server as a proxy server.

10 ISA Server 2004 Features ISA Server 2004 provides various features that help manage and secure Internet connections. The key features of ISA Server 2004 are: Web Cache Multi networking Security and firewall policy Virtual Private Networks Monitoring Add Ins Enterprise Management Extensible Platform Web Cache ISA Server 2004 uses the Web cache to improve network performance. The various caching features are: The various caching features of ISA Server 2004 are: Distributed caching: Enables you to configure ISA Server 2004 on multiple computers and to use ISA Server 2004 computers as a logical cache. ISA Server 2004 uses Cache Array Routing Protocol (CARP) to implement this feature. Hierarchical caching: Enables you to set up a hierarchy of computer arrays hosting ISA Server. This enables a network client to access the data cached at the nearest cache. Scheduled caching: Enables the configuring and scheduling of ISA Server 2004 to provide frequently requested Web content to the cache. You can use the Microsoft ISA Server 2004 Job Scheduler service to implement the scheduled caching feature. Reverse caching: Enables external clients to access internal or published servers. You can deploy ISA Server as a reverse caching server to cache all the data that the external clients frequently request from your network's published Web servers. ISA Server fulfills all external client requests using the cached data. If the requested content is not found in the Web cache, ISA Server forwards the request to the Web server.

11 Forward caching: Enables internal clients to communicate with the Internet. You can deploy ISA Server as a forward caching server to cache all frequently requested Web content. This reduces the processing time to fulfill requests. High performance Web caching: Uses the RAM cache and the Web cache to cache frequently requested Web content. This improves Web performance when internal clients access the Internet Web servers and Internet users access the internal Web server. Multi Networking Multi networking is the process of grouping the network of an organization into network sets. A network set is a group of networks on which you can apply a rule to secure the networks in the network set. Multi networking restricts communication between the clients in an organization, which helps ISA Server protect an organization's network against internal and external security threats. For each network set on an internal network, ISA Server allows you to configure an access policy and define its relationship with the other network sets. The relationship between two network sets defines how computers on these two networks communicate with each other. As a result, the multi networking feature of ISA Server allows you to identify, configure, and define the connections and relationships among computers on internal and external networks. Multi Networking Environment The multi networking environment of an organizational network consists of network sets that a firewall or a router connects. Inbound and outbound communication with a network is allowed or denied based on the access control configuration on the firewall or router. Figure 1 2 shows the multi networking environment: Figure 1 2: Multi Networking Environment The perimeter network in the multi networking environment is connected to the organizational network and the Internet. Connectivity between the perimeter network and the other two networks allows the clients on the organizational network and the Internet to access the resources on the perimeter network.

12 Note A perimeter network is set up in isolation from both an organizational network and the Internet. The perimeter networks protect an organizational network from access by external users. The external users can access specific servers located on the perimeter network. A perimeter network is also called a screened subnet or the demilitarized network. Connectivity between the various network sets in the multi networking environment are: Clients on the organizational network can access the Internet but computers on the Internet cannot access the clients on the organizational network. Clients on the organizational network can access the resources on the perimeter network. Clients on the Internet can access some resources on the perimeter network. Network Access Policy The network access policy defines the relationships among networks to specify whether the networks can connect to each other. This policy also defines how the networks can connect to each other. You can define network rules to set the level of access among the networks. Figure 1 3 shows the concept of the network access policy: Figure 1 3: Network Access Policy The relationships that network rules define among networks are:

13 Routing relationship: Defines a bi directional relationship that allows traffic between networks. In Figure 1 3, this relationship exists between the branch office and headquarters, which is represented by Label 1. NAT relationship: Defines unidirectional NAT relationships. In the figure, three NAT relationships exist, which are: Organizational network to perimeter network: Defines the unidirectional relationship from the organizational network to the perimeter network. Organizational network to Internet: Defines the unidirectional relationship from the organizational network to the Internet. Perimeter network to Internet: Defines the unidirectional relationship from the perimeter network to the organizational network. Note You should define a routing relationship when you want to publish IP addresses for Web publishing or publish a mail server and a NAT relationship when you do not want to expose IP addresses. Multi Networking Features The multi networking features of ISA Server 2004 are: Multiple network configuration: Allows you to separately configure each network with a distinct relationship with other networks in a multi networking environment. Unique per network policies: Ensures that any internal or external attacks, such as virus attacks, do not affect a network. To ensure this, ISA Server limits communication among clients. ISA Server's support for perimeter networks in multi networking scenarios allows you to configure the way various networks can access the perimeter network. The routed and NAT network relationship: Allows you to define network relationships according to your routing, transparency, and security requirements. The routed relationship routes the traffic to ISA Server which is used when you require transparent and less secure communication between networks. The NAT relationship is used when you require secure and less transparent communication between networks. Security and Firewall Policy You can deploy ISA Server as a firewall to prevent unauthorized Internet users from accessing a network. ISA Server monitors communication, including requests and responses, between the Internet and the clients on a network. ISA Server 2004 uses monitoring to issue alerts on authorized access to the network. This allows only authorized users to access the computers on a network. In addition, monitoring communication allows you to limit Internet access to authorized clients on a network. ISA Server 2004 allows you to control both inbound and outbound access based on the firewall policy. This policy allows you to define access controls based on user, group, application, source, destination, content, protocol, port, and schedule. For example, you can define a firewall policy to allow or deny access to a resource to clients. In addition, the firewall policy specifies the sites and

14 the content accessible for both inbound and outbound communication. The various security and firewall policy features of ISA Server 2004 are: Allows you to define access rules, which specify accessible sites and content from the Internet and protocols to access these sites and content. Issues an alert on interference detection, such as an attack on a network. Supports complex protocols, such as the ones that streaming media, voice applications, and video applications, require. These applications require multiple primary connections. Allows you to define a customized protocol definition. You can define firewall policy rules for a protocol to manage the source and destination port numbers of that protocol. The protocol definition also allows you to manage the packets flowing through firewall. Allows you to define network objects, such as computers, network sets, and address ranges. You can apply one firewall policy rule to all the computers on a network object. Allows you to define firewall policy rules that are stored in an ordered list. ISA Server compares the connection parameters of the connection with the connection parameters of the rules in the order of their appearance on the ordered list. When ISA Server finds a rule with an identical set of connection parameters, it enforces the policy of that rule. This enables ISA Server to determine whether a connection is allowed or denied. Supports FTP, which allows you to access the Internet FTP servers that are listening to alternate port numbers. You do not need any special configuration on the client or the ISA Server computer if the FTP port is allowed in the firewall policy of the client. Provides port redirection for server publishing rules. A client request received at a port number can be redirected to another port number on the published server. Provides secure Web publishing. You can use Web Publishing Wizard for creating rules that allow the remote users to access the published servers from a remote location using Secure Socket Layer (SSL) connections. ISA Server allows you to place the servers behind the firewalls on both the corporate network and a perimeter network to secure the services. Placing servers behind firewalls allows you to securely publish the services of published servers. Provides user authentication and authenticates an end user who sends a Web request. The various user authentication methods that ISA Server 2004 provides are: Integrated authentication: Generates unique numbers, called a message digest or a hash value, using a formula for the user name and the password before sending the hashed value across the network. ISA Server 2004 uses the Kerberos V5 authentication protocol, the Windows NT LAN Manager (NTLM) authentication protocol, or a challenge\response authentication protocol to authenticate users using this method. Authentication using SSL client certificates: Encrypts and decrypts data to enable privacy of all communication over the network.

15 Digest authentication: Generates hash values for the user names, passwords, and other data of HTTP clients. Advanced digest authentication: Generates hash values for user accounts in Active Directory in a Windows Server 2003 domain. Active Directory is a directory service that stores information, such as number of computers, devices, and users on the network, to securely manage the network. Basic authentication: Encodes user names and passwords using the base 64 encoding method. You can decode the data related to authentication information using any decoding utility. This is the default authentication method. ISA Server 2004 provides multilayered firewall security by filtering traffic at the packet, circuit, and application levels. The three types of filtering for securing the network are: Stateful packet filtering: Determines whether a packet can pass through network and application layer proxy services. Stateful packet filtering opens and closes ports automatically for communication. Circuit filtering: Allows you to access Internet protocols and services from multiple platforms using application transparent circuit gateways. Gateways are devices that connect networks and use protocols for communication among these networks. Application filtering and stateful inspection: Verifies whether or not the data in a packet is valid. Application filtering evaluates the packets at the application layer and allows the connection only if the data in the packet is valid. Virtual Private Networks VPN is a private network that a company uses for internal communication or by companies who use to communicate over a public network. VPN messages use standard protocols for communication over a private networking infrastructure. VPN connects branch offices or remote users to organizational networks, enabling them to send data. Two types of VPN connections are: Remote access VPN connection: Allows remote clients to establish a remote access VPN connection with a private network. Using this connection, a remote access client can access a network attached to the VPN server. Site to site VPN connection: Uses a site to site VPN connection that enables communication among the offices of an organization. VPN enables you apply a firewall policy to VPN connections to secure your network. The VPN features of ISA Server 2004 include:

16 Stateful filtering and inspection for VPN: Allows you to configure a firewall policy separately for VPN clients because VPN clients are configured as a separate network. The firewall engine checks VPN client requests, statefully filters and inspects the requests, and dynamically opens connections based on the access policy. Note Stateful filtering determines the packets that can be allowed to pass through an ISA Server 2004 computer. SecureNAT client support for VPN clients connected to ISA Server 2004 VPN Server: Extends the VPN client support to SecureNAT clients. ISA Server allows SecureNAT clients to access the network even if the client computer does not have Firewall Client software installed. Stateful filtering and inspection through a site to site VPN tunnel: Helps statefully filter and inspect all communication using a site to site VPN connection. You can use the VPN connection to control access to resources depending on a user or group based access policy. VPN quarantine control: Allows you to quarantine VPN clients that do not fulfill specific predefined security requirements on a separate network. ISA Server provides network access to only the VPN clients that pass security tests based on VPN client firewall policies. The clients that fail the security test have limited access to the network. Internet Protocol Security (IPSec) tunnel mode support for site to site VPN links: Allows you to use the IPSec tunnel mode as the VPN protocol that enables ISA Server to support site to site links. This increases ISA Server s interoperability with various third party VPN solutions. VPN monitoring and logging: Allows you to monitor VPN clients and remote VPN network activity. Monitoring Monitoring enables you to monitor connections with ISA Server. The various monitoring features of ISA Server are: Dashboard: Provides a summary of the functioning of ISA Server 2004 components and services. The Dashboard view provides information about: Connectivity: Provides information about a connection between the ISA Server 2004 computer and another computer or URL. Alerts: Provides information about the events that occur on the ISA Server 2004 computer. You can also configure the alert definition to run an action or a program when an event occurs. Services: Lists services, with their status, on the ISA Server 2004 computer. Sessions: Lists the total number of client sessions. Reports: Lists newly created reports.

17 System health: Shows performance information about the ISA Server 2004 computer. Note A session is a unique combination of a client IP address and a user name. Real time monitoring in log viewer: Displays the firewall and Web Proxy log entries in session view, as they appear in the firewall log file in real time. Built in log query: Allows you to query log files. You can query the Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) logs to limit the scope of the query. You can view the query results on the ISA Server 2004 console and copy them from there to another application for detailed analysis. Real time monitoring and filtering of sessions: Displays all active connections from where you can sort or disconnect a single session or a group of sessions. Connectivity verifiers: Enables you to verify connections between an ISA Server 2004 computer and another computer. Connectivity verifiers monitor the connection to verify the connection between a computer and an ISA Server 2004 computer. You need to specify an IP address, a computer name, or a URL that you want to monitor using connectivity verifiers. Report publishing: Allows you to publish ISA Server 2004 reports either manually or by configuring ISA Server 2004 report jobs to automatically publish the reports. After the creation of the report, a copy of the report is saved in a local folder or network file share. To enable other users to view the reports, you need to map the folder or file share that stores the reports to the virtual directory of a Web site. Log on to the MSDE 2000 database: Helps store logs in the local MSDE 2000 database. This increases the query speed and flexibility. Add Ins Add ins are application filters and Web filters developed by Microsoft or third party vendors that provide an additional filtering functionality to ISA Server The add in features of ISA Server 2004 are: HTTP filtering on per rule basis: Allows you to use the ISA Server HTTP policy that allows the firewall to perform stateful inspection on a per rule basis. In addition, you can create and configure custom rules to filter HTTP inbound and outbound access. Block access to all executable content: Helps configure an ISA Server HTTP policy that enables you to block attempts to connect to Windows executable content. Apply HTTP filtering to all ISA Server 2004 client connections: Allows you to use Multipurpose Internet Mail Extensions (MIME) for HTTP or file extensions for FTP to block content for Web Proxy client based HTTP and FTP connections. This allows you to limit HTTP access for all ISA Server client connections.

18 Control HTTP access based on HTTP signatures: Helps create signatures to limit the content internal and external users can access using ISA Server. You can compare the signatures against various parameters, including the request URL, request headers, request body, response headers, and response body. FTP policy: Helps configure an ISA Server FTP policy to limit access to FTP. An end user can be allowed one of the following types of accesses: Upload and download through FTP. Download through FTP. Granular control over IP options: Helps configure IP options and allow or block IP options according to your requirements. Enterprise Management Enterprise includes a collection of computers grouped into arrays. An array is a collection of multiple interconnected ISA Server computers running ISA Server services and sharing the same configuration. ISA Server enables you to manage the enterprise using features such as: Enterprise policy: Helps enforce an enterprise policy at enterprise level. An enterprise policy contains a set of rules applicable to the arrays in an enterprise. The enterprise administrator manages the enterprise policy. The enterprise policy administrator assigns the policy level authority granted to the array administrators. Enterprise network: Enables the creation of enterprise level rules to manage the enterprise network. Centralized monitoring: Helps an authenticated user monitor the ISA Server computer. Network Load Balancing You can include ISA Server 2004 in an array for Network Load Balancing (NLB) and fault tolerance. NLB distributes requests coming from clients among computers hosting ISA Server. When one of the computers hosting ISA Server fails, another available ISA Server computer accepts the request. NLB provides uninterrupted service to clients. You can enable NLB configuration for each array at enterprise level. NLB can be configured in one of two modes: Integrated NLB: Uses the ISA Server Management console to configure NLB. Configuring NLB in integrated mode provides various features, such as easy management of configuration and maintenance of array integrity. Nonintegrated NLB: Uses Microsoft Windows based configuration tools to configure NLB. Extensible Platform You can use the Administration Component Object Model (COM) to extend the functionality of ISA Server The extensible platform features of ISA Server 2004 are:

19 Broad application support: Supports a broad range of Internet and intranet protocols, such as HTTP/ SSL, FTP, Real Audio, and Real Video. Broad vendor support: Supports various independent vendors that provide products, such as software for virus detection, software to filter and report content, and management tools, built on ISA Server. These products can also integrate with ISA Server. Extensive software development kit: Allows you to develop tools, such as Web filters, application filters, and reporting tools, which build on ISA Server 2004 features, such as firewall, caching, and management. You can use ISA Server s comprehensive Software Development Kit (SDK), which provides Application Programming Interfaces (APIs) and systematic samples to develop tools. ISA Server 2004 Editions ISA Server 2004 is available in two editions, ISA Server 2004 Standard Edition and ISA Server 2004 Enterprise Edition. ISA Server 2004 Enterprise Edition includes all the features of ISA Server 2004 Standard Edition and some new features, such as enterprise management. ISA Server 2004 Standard Edition ISA Server 2004 Standard Edition is designed for small to medium sized organizations. This edition of ISA Server 2004 provides various features, such as multi networking, security, and firewalls, to secure Internet connections. Standard Edition contains the enterprise firewall and the Web cache server that ensures fast and secure access to the Internet. You can install ISA Server 2004 Standard Edition on the Microsoft Windows 2003 and Microsoft Windows 2000 Server operating systems. The key features of ISA Server 2004 Standard Edition include: Multi networking Security and firewalls Virtual private networking Monitoring Add ins ISA Server 2004 Enterprise Edition ISA Server 2004 Enterprise Edition is designed for medium to large sized organizations. This edition uses a multiple layer enterprise firewall and a high performance Web cache server to provide fast and secure access to the Internet. You can install ISA Server 2004 Enterprise Edition on the Microsoft Windows 2003 Server operating system. ISA Server 2004 Enterprise Edition Components ISA Server 2004 contains various components, such as ISA Server 2004 Management Console and Configuration Storage Server, to manage and store the configuration of the arrays in enterprise. You can select the components you want to install at the time of installation according to your requirements. The components of ISA Server 2004 Enterprise Edition are: ISA Server 2004 Management: Helps you manage the ISA Server 2004 computers in an enterprise by connecting to the Configuration Storage server using the ISA Server 2004

20 Management console. The administrator can also use this console to obtain information about computers that run ISA Server 2004 services. Configuration Storage Server: Stores the configurations of all arrays in an enterprise. An enterprise can support multiple Configuration Storage servers. The Configuration Storage server uses Active Directory Application Mode (ADAM) to store the configurations of the arrays. Configuring the arrays in an enterprise changes the configuration information on the Configuration Storage server. This allows the computers hosting ISA Server 2004 Enterprise Edition to verify the Configuration Storage server for any changes and update their local storage. You can specify a Configuration Storage server for an array of ISA Server 2004 Enterprise Edition computers. You can also specify an alternate Configuration Storage server that an array can use to fetch updated configuration information in the event of the failure of the first Configuration Storage server. Note ADAM is a Lightweight Directory Access Protocol (LDAP) that helps store and retrieve data for directory enabled applications. Installing the Configuration Storage server automatically installs ADAM on a computer. ISA Server 2004 services: Is the ISA Server computer that runs various functions, such as firewalls, VPN, and caching, of ISA Server An ISA Server computer that runs ISA Server services is also connected to a Configuration Storage server. Array: Consists of multiple computers hosting ISA Server and running ISA Server services. The computers in an array must be physically connected and should have identical configuration. The identical configuration items for the computers in an array are: Partitions Configured dial up connections Certificates installed on all array members Domain and site configuration Time zone and synchronized clocks Updates installed Number of network adapters Language version of ISA Server 2004 and Microsoft Windows Server 2003 installed. The locale set for the computer and the currently logged on user should also be the same. Network services, such as Domain Name System (DNS), and Active Directory connectivity, should also be available to all members of an array.

21 Enterprise: Is defined as a collection of arrays of ISA Server 2004 computers. There can be multiple Configuration Storage servers in an enterprise to store ISA Server 2004 information. Note For more information on installing the components of ISA Server 2004, refer to Chapter 3. Enterprise Edition Configuration ISA Server 2004 stores the configuration settings of the computers in an enterprise and the arrays on a Configuration Storage server. The configuration settings of an enterprise include enterprise level security roles, enterprise policies, enterprise networks, rule elements, and configuration settings for add ins. Only the administrator of an enterprise can define the configuration settings for the arrays in the enterprise by. Alternatively, the array administrator defines configuration settings for all ISA Server 2004 computers in an array. ISA Server uses the FPCEnterprise object to represent the enterprise configuration and the FPCArray object represents the array configuration. The configuration settings for the ISA Server computers in an enterprise are: Vendor parameter sets Rule elements Add ins configuration settings Vendor Parameter Sets Vendor parameter sets allow you to introduce enterprise level configuration settings to all ISA computers in an enterprise. To do this, you must attach vendor parameters sets to enterprise level objects. These objects represent enterprise level rule elements, application filters, and Web filters. You can store vendor parameters sets with the configuration of an ISA Server computer. You can retrieve these vendor parameter sets by accessing the vendor parameters set attached to the corresponding array level object. You can define two vendor parameters sets with the same or different Globally Unique Identifiers (GUIDs) for one rule element, one in the enterprise configuration and one in the array configuration. If the two vendor parameters sets have different GUIDs, you can access both of them. Alternately, if they have the same GUID, the enterprise level parameters override the array level parameters in the effective configuration of an ISA computer. Rule Elements Rule elements allow you to configure rules that can apply either to an array or to an enterprise. An array administrator configures the array level rules that apply to all ISA computers in an array. An enterprise administrator configures the enterprise level rules that the administrator can use to configure enterprise policies. An array administrator can use enterprise level rule elements to create array level rules. You can define two rule elements, such as protocols, with the same or different GUIDs for both the enterprise configuration and the array configuration. In addition, you can attach two vendor parameters sets with two protocols with the same GUID. If the rule elements have the same GUID, the effective configuration stores only the enterprise level rule element. The effective configuration stores both vendor parameters sets attached to the rule element. The rule elements of enterprise level rule are: Content type sets Schedules Protocols

22 User sets Network entities Add Ins Configuration Settings Configuration settings for add ins help array the administrator and the enterprise administrator to register application filters and Web filters in the set of filters. Both the enterprise configuration and the array configuration contain collections of filters. An array administrator registers a filter in the array configuration to enforce a filter s policy in the array. Registering a filter in the enterprise configuration: Introduces an enterprise level configuration by attaching a vendor parameters set to the filter object. Enables the filter in the array configuration even if the filter is disabled in the enterprise configuration. If you enable the filter in the enterprise configuration, you cannot disable the filter in the array configuration. Helps add property pages in ISA Server 2004 Management to set enterprise configuration settings for a filter. Additional Features of the Enterprise Edition ISA Server 2004 Enterprise Edition includes all the features in the Standard Edition, and adds these additional capabilities: Centralized management: Helps manage all arrays and their member servers located at disparate locations across the world from a central location using the ISA Server 2004 Management console. Using the ISA Server 2004 Management console, you can configure a firewall at one location and automatically update array member servers located at different locations all over the world. Enterprise and array policies: Helps implement both enterprise level and array level policies. Using enterprise level policies, you can implement firewall access policies on multiple arrays situated at multiple locations. In addition, you can implement array level firewall access policies that are applied to a specific array. CARP: Helps store and retrieve cached Web data for an array of computers hosting ISA Server 2004 using CARP. The use of the CARP algorithm improves the ISA Server 2004 Web proxy and caching performance. Network Load Balancing: Helps manage NLB from ISA Server 2004 because ISA Server 2004 provides support for the Windows NLB service. Centralized storage: Helps store array configuration information in the ADAM database. The storage areas, where you can store the firewall policy for an array, are: The ADAM database that you can place on an ISA Server 2004 computer in the array

23 The Configuration Storage server on the organizational network The domain controller Multiple Configuration Storage servers: Allows you to configure multiple Configuration Storage servers at multiple locations, such as in the main and branch offices. This enables ISA Server 2004 to provide fault tolerance for array configuration. It also ensures that the Configuration server is always available to array members. Centralized monitoring: Helps monitor all ISA Server 2004 computers from one location. A firewall administrator uses a centralized management console to monitor all the servers in an array.

24 ISA Server 2004 Services ISA Server 2004 acts as a gateway between the organizational network and the Internet. ISA Server 2004 uses its services to implement security in the IP packet layer, the application layer, and the circuit layer. ISA Server services include: Control service Job Scheduler service Firewall service Additional services Note A gateway is a device that routes packets of data between TCP/IP networks using disparate transport protocols. The Control Service The ISA Server Control (isactrl) service helps start or stop other services. The various functions of the isactrl service are: Restarts other ISA Server 2004 services when you make some changes in the configuration settings of the ISA Server 2004 configuration using the ISA Server 2004 Management console. Generates alerts and runs actions. Updates the configuration settings of the Firewall client. Deletes the log files that are not in use. Synchronizes the configuration of an ISA Server 2004 computer with the Configuration Storage server assigned to the array to which this ISA Server 2004 computer belongs. You cannot start or stop the isactrl service using the ISA Server 2004 Management console. Stopping the isactrl service automatically stops other ISA Server 2004 services. To stop the isactrl service, enter the following command at the command prompt: net stop isactrl The Job Scheduler Service You can use the isasched Job Scheduler service to implement scheduled caching in ISA Server. Using the isached service, you can download frequently requested Web content directly to the Web cache at client requests or according to a user defined schedule. You can configure and schedule an ISA Server 2004 computer to download one URL, multiple URLs, or a complete Web site. When you cache some Web content, it becomes available to the clients directly from the Web cache and not from the Internet. You can determine Web content that needs to be stored locally in the Web cache by monitoring and analyzing Internet access. After determining when and what to download,

25 you can use the isasched service to prepare the Web cache accordingly. The Firewall Service The ISA Server Firewall service is an API service represented by fwsrv. This service is a circuit level proxy for Winsock applications. Using the Firewall service, you can directly connect specific Winsock compatible client applications, such as Telnet, e mail, news, and Microsoft Media Player, to the Internet. The client application communicates with an application running on an Internet based host using Winsock API calls. Note Winsock is a networking API you can use to create TCP/IP based sockets applications. Winsock provides a bi directional connection between applications and the transport protocol. ISA Server 2004 uses the fwrsv service to inspect all communication between source and destination computers. This helps determine whether to allow or deny traffic between these computers based on associated rules. ISA Server 2004 can also direct the traffic to application filters for additional filtering before allowing or denying the traffic. The Firewall service also provides a DNS cache, logging, network configuration detection, connection monitoring, and automatic dialing. The Firewall service of ISA Server 2004 establishes communication between the internal network and the Internet. It redirects particular functions to the ISA Server 2004 computer that eliminates the need for a specific gateway for each protocol. As a result, an application is benefited from a proxy without using a protocol. The local network remains secure because the internal and the Internet application communicate through an ISA Server 2004 computer. The Firewall service runs as a stand alone service on Microsoft Windows Server You can stop the Firewall service either programmatically using a script or manually using the ISA Server 2004 Management console. An alert can also stop the Firewall service if it is configured to shut the service down. ISA Server 2004 enters lockdown mode when the Firewall service shuts down. In lockdown mode, ISA Server 2004 remains isolated and connected at the same time. In lockdown mode: ISA Server 2004 does not issue alerts. ISA Server 2004 is not accessible to VPN remote access clients and remote site networks in site to site VPN scenarios. ISA Server 2004 does not apply any changes to network configuration. It applies the changes when the Firewall services restart and ISA Server 2004 is out of lockdown mode. The kernel mode packet filter driver (fweng) applies the firewall policy. ISA Server 2004 allows an outgoing connection from the local host network to all networks. You can use an outgoing connection to respond to incoming traffic. Additional Services The additional services that ISA Server 2004 supports are: The Microsoft ISA Server Storage (ISASTG) service: Provides local storage for the ISA Server configuration.

26 The MSSQL$MSFW service (MSSQL$MSFW): Helps store the log information of ISA Server services. The MSSQL$MSFW service is an instance of Microsoft Data Engine, which is a service of Microsoft SQL Server Desktop Engine (MSDE).

27 ISA Server 2004 Clients ISA Server 2004 clients are computers that can access the network through ISA Server. ISA Server supports three types of clients: Firewall SecureNAT Web Proxy Firewall Clients Computers with the Firewall Client software installed and enabled are called Firewall clients. Firewall clients run Windows Sockets (Winsock) applications that use the Firewall service of ISA Server When you configure a network for the Firewall clients, ISA Server 2004 receives incoming requests from Firewall clients on TCP port ISA Server 2004 stores the IP address ranges of the Firewall clients on a network in a table. The table that stores IP address ranges separately on all Firewall clients is called Local Address Table (LAT). You can also create a custom version of LAT that contains additional IP addresses and store it locally on each Firewall client in \Documents and Settings\All Users\Application Data\Microsoft\Firewall client 2004\Locallat.txt. You need to represent each IP address range by a pair of IP addresses in the locallat.txt file. Each Firewall client uses the locallat.txt file to determine whether the IP addresses are the part of Internal network. A client that receives a request from a Winsock application running on a Firewall client determines whether the destination IP address is local or not. If the client recognizes the destination IP address as local, it sends the request directly to the destination computer; otherwise, the client sends the request to the Firewall service on an ISA Server computer. Then, application filters and add ins filter the request. The Firewall service redirects HTTP requests to the Web proxy that either serves a request from the ISA Server cache or caches the requested object. ISA Server supports Firewall clients only if the Firewall service is running. The various aspects of Firewall clients are: Supports only Windows operating systems Requires the installation of the Firewall client software Supports all Winsock application protocols Provides user level authentication Requires configuration files for server applications SecureNAT Clients SecureNAT clients are computers that require the configuration of the default gateway that helps SecureNAT clients communicate to the Internet through an ISA Server computer. The default gateway enables communication with other networks by sending IP packets to the required destination. You can configure the SecureNAT client either manually or using the Dynamic Host

28 Configuration Protocol (DHCP) service. You need not install the Firewall Client software for SecureNAT clients. SecureNAT clients use the Firewall service to provide security features. The Firewall service handles requests from SecureNAT clients to provide security features to the SecureNAT clients. The various aspects of SecureNAT clients are: Requires network configuration changes during the installation of ISA Server. Supports operating systems that support TCP/IP protocols. Requires application filters for multiple connection protocols. Helps modify the protocol stream using application filters. This allows SecureNAT clients to handle complex protocols. Passes all Web requests to the Web proxy through the Firewall service. The Web proxy handles the cache and ensures that appropriate policy rules are applied. Web Proxy Clients Web proxy clients are computers that should comply with HTTP1.1 and should be configured to use ISA Server s Web proxy. The Web Proxy clients: Require configure the configuration settings of Web browser. Support HTTP, Secure HTTP, and FTP. Support user level authentication. Note A browser application that follows the standards laid out by Conseil European pour la Recherche Nucleaire (CERN) is called a Web proxy client. If the Firewall Client software is installed on a Web proxy client computer, ISA Server 2004 configures the settings of the Web browser on a Firewall Client desktop. Some Web browser properties that you can reconfigure are: Automatic discovery settings ISA Server and the port to which the client should connect Computers that the Firewall client's Web browser can access directly Backup route

29 If you do not install the Firewall Client software, you need to manually configure the Web browser for Web proxy clients. Note CERN is a European organization for nuclear research. CERN is the world's largest particle physics center. One of the greatest achievements of CERN is the World Wide Web. CERN developed the World Wide Web for faster information sharing among physicists working at various universities and institutes across the world.

30 ISA Server 2004 Web Cache The ISA Server Web cache helps store frequently accessed Web content as cached data. This cached data fulfills subsequent requests by network clients to minimize access time and network traffic. ISA Server uses RAM caching to store the cached pages in the RAM. ISA Server also supports CARP for distributed caching. You can administer the Web cache using the ISA Server 2004 administration COM objects. Using COM objects, you can administer the cache programmatically, automate cache related administration tasks, and extend cache performance. How the ISA Server 2004 Cache Works When you install ISA Server 2004, caching is disabled. To enable caching, you have to allocate at least one drive as a cache drive on an ISA Server computer and allocate some space on this drive for caching. After caching is enabled, you can define cache rules to configure the cache. These rules determine whether the content of a specific Web site should be stored or retrieved from the cache. ISA Server 2004 supports two types of caching: Forward caching: Used for outgoing requests. Reverse caching: Used for incoming requests. When an end user requests an object, ISA Server analyzes the Web cache to determine whether or not to retrieve an object from the cache. ISA Server 2004 Enterprise Edition uses CARP to determine the server from which the Web server should retrieve the cached data. If the Web object is not in the cache, ISA Server checks Web chaining rules. These rules decide whether ISA Server forwards the request to the requested Web server, to another upstream proxy server, or to a specific destination. If ISA Server finds the requested Web object in the cache, it: 1. Verifies whether the object is valid or not based on certain conditions. If the object is valid, ISA Server retrieves the object and returns it to the end user. The conditions that ISA Server uses to check the validity of an object are: Time To Live (TTL) value: Should be active. TTL is a field in a TCP/IP header that indicates the age of expiration value. The data containing an active TTL value can be forwarded only to the network. TTL configured in content download job: Should be active. TTL configured for the object: Should be active. 2. Checks the Web chaining rules if the object is invalid. 3. Determines whether to forward the request to the requested Web server, to another upstream proxy server, or to a specific destination. 4. Checks whether the requested Web server is accessible if the applicable Web chaining rule is configured to forward the request to the Web server.

31 5. Analyzes the cache configuration if the Web server is inaccessible. ISA Server returns the object to the end user if the cache is configured to return an expired object within a specific maximum expiration time. If the cache cannot return an expired object, ISA Server returns an error. 6. Caches the object and returns it to the end user if the Web server is available. Note For more information about configuring the cache, refer to Chapter 8. The Caching Mechanism When you configure a drive to cache ISA Server, a file named Dir1.cdat is created in the <drive>:\urlcache folder. ISA Server creates a cache content file for each 10 GB space on a disk. For example, if you allocate 15 GB for caching, ISA Server 2004 creates 2 cache content files, one of 10 GB and the other of 5 GB. ISA Server uses a formula to assess the age and size of an object and how frequently end users access the object. When the cache content file does not have enough space to hold a new object, ISA Server deletes older objects from the cache. To delete the contents of the Web cache, you need to stop the Firewall service. After stopping the Firewall service, you can delete the.cdat files on the cache drives. ISA Server 2004 creates new empty.cdat files when the Firewall service restarts. Caution You should not modify or delete.cdat files when the Firewall service is running. RAM Caching ISA Server stores cached content in the RAM and the disk to provide faster access to Web content. The Web content stored in the RAM can be accessed faster than the Web content stored on the disk. You can configure the percentage of available memory to use for caching. By default, 10 percent of the RAM is used for caching. ISA Server does not provide a direct mechanism to check whether a page is cached or written to the disk. If the ISA Server computer stops responding, you must retrieve the objects from the Internet that are stored in memory but not written to the disk. CARP You can use CARP to implement distributed caching. CARP provides efficient Web based load balancing to arrays and allows them to distribute cached content among array members. This protocol provides information and algorithms that allow clients to discover the server best suited to serve their request in the array. CARP provides efficient routing for requests on the client and server sides. Web browsers or downstream proxy servers can be clients of CARP. CARP uses hashing algorithms to identify a path within an array that can best serve a request. The resolution path enables a Web browser to determine the location within an array where the requested URL is already cached from a previous request. In addition, CARP enables array members to determine the location to cache information for subsequent requests. The various advantages of CARP are: It uses a hashing algorithm that automatically adjusts CARP with the addition and deletion of ISA servers to and from an array.