CHAPTER 7
SECURING
SERVER
Through the use of enterprise policies and settings, Microsoft Internet Security and Acceleration
Server 2000 (ISA Server) allows multitiered policy enforcement by providing the capability for
both enterprise-level and array-level Internet Security that can be used together or separately.
For any given ISA Server array, enterprise policy settings determine whether array policies are
included and, if so what kinds of rules are included in the array policy.
NOTE: If an existing array has already been configured to use an array policy only (no
enterprise policy), you cannot modify the array’s policy settings to use an enterprise policy.
Likewise, if an existing array uses an enterprise policy, you cannot change the array’s policy
settings to ignore enterprise settings and use an array policy only.
Creating an
Though by default only users who are members of the Enterprise Admins group have
permissions to configure enterprise policies, the properties of each enterprise policy can
be modified to allow other users privileges to change the policy.
Configuring the Policy Settings for an
An enterprise administrator can modify these settings by
right-clicking the
in ISA Management and selecting Set Defaults. They can also be configured when an
enterprise administrator installs an array or modifies an array’s properties.
When you select the Use Default Enterprise Policy Settings radio button, the settings
configured in the Set Defaults dialog box are applied to the array.
Enterprise Policy settings include:
Policy.
=====================================================================
winisa7.html PAGE 2 2002/05/28
Combined enterprise and array policy. This setting is configured by selecting the
Allow Array-Level Access Policy Rules That Restrict Enterprise Policy check box.
Array Policy only. The array administrator is able to create any rule to allow or deny
access. When an array has been configured in this way, the array cannot be configured
later to use an enterprise policy.
Allow Publishing Rules. This setting, which is configured by selecting the Allow
Publishing rules.
Force Packet Filtering on the Array.
NOTE: The IP packet filters themselves can neither be created at the enterprise level nor
forbidden by enterprise policy settings.
Backing up and Restoring an Enterprise Configuration
All enterprise configuration parameters can be backed up and stored locally in a file. You
can save your configuration to any directory and file name you choose. The backup process
saves all enterprise-specific information, including all enterprise policies and enterprise policy
elements.
CAUTION: Restoring an enterprise configuration may impact policies for arrays that use
enterprise policies, so after you back up the enterprise configuration, back up all the arrays
in the enterprise. After you restore the enterprise configuration, restore all the array configuration.
Back up file has the extension .BEF
Lesson Summary:
enterprise policies, each of which may be applied to groups of ISA Server arrays.
of settings known as enterprise policy settings.
combined enterprise and array policy, or an array policy only is allowed; whether
publishing rules are allowed; and whether packet filtering on the array level should be forced.
polices and enterprise policy elements.
=====================================================================
winisa7.html PAGE 3 2002/05/28
Lesson 2:
Configuring ISA Server Arrays
***doesn’t work ***
ISA Servers computers are grouped together in arrays. Arrays allow a group of ISA Server
computers to be treated and managed as a single, logical entity.
When you install ISA Server, you choose to join an existing array or be a standalone array.
NOTE: Before you can set up ISA Server as an array member, the ISA Server schema
updates must be applied to the Active Directory directory services schema. This process
is known as initializing the enterprise. You must be an administrator on the local computer
and a member of the Enterprise Admins group to initialize the enterprise.
When no existing arrays are found, a new array will be created. With each subsequent ISA
Server installation, if you choose to install ISA Server as an array member, ISA Server
Setup presents a list of existing arrays that the server can join.
Array Requirements
All array members must be in the same domain and in the same site. A Site is a set of
computers in a well-connected TCP/IP subnet. A domain is a collection of computers,
defined by the Administrator, that share a common directory database.
Arrays and Standalone Servers
If you choose not to install ISA Server as an array member, you can install ISA Server as a
standalone server. Standalone server installations do not require that the computer belong
to a Microsoft Windows 2000 domain.
Promoting Standalone Servers
An ISA Server installation configured as a standalone server cannot join an array.
However, standalone servers can be promoted to become array members. When a
standalone server is promoted, a new array is created. The ISA Server computer is
made a member of the new array.
=====================================================================
winisa7.html PAGE 4 2002/05/28
As a member of the
settings. When configuring enterprise policy settings for a given array, you can choose
to use the default enterprise policy settings or configure custom enterprise policy settings.
Array Member Settings
Installation Modes. Cache, Firewall or Integrated.
Policy Configuration. Access policy, publishing, and bandwidth rules.
Extensions. Extensions include Web filters and application filters.
Alert Configuration. Alerts can be configured for each server in the array or for
all the servers in the array.
Reports. Reports display information about the activity on all the ISA Server computers
in the array.
Cache. Space for the ISA Server cache is allocated on each server according to the
amount you specify when you install ISA Server or reconfigure the cache.
Controlling Array Membership
ISA Server computers that belong to arrays can join, leave, or be removed from an array.
To remove an ISA Server computer from an array uninstall ISA Server from that computer
by re-running the ISA Server Setup program and choosing to remove all ISA Server
components.
When you change an enterprise configuration by adding or removing a server from an array,
the configuration information is updated in the Active Directory directory services store.
Backing up and Restoring an Array Configuration
ISA Server includes a backup and restore feature that enables you to save and restore
most array configuration information.
If ISA Server is set up as an array member, its configuration information is stored in the Active
Directory directory services store. If ISA Server is installed as a standalone server, the
configuration settings are stored in the server’s local registry.
Backing up the Configuration
ISA Server backs up all of the array’s general configuration information. This includes access
policy, publishing rules, policy elements, alert configuration, cache configuration, and array
properties.
=====================================================================
winisa7.html PAGE 5 2002/05/28
Backup the array configuration after any major modification to the array, including:
It is recommended that you also periodically backup the server-specific configuration. You
can use Windows Backup (Ntbackup) to back up ISA Server information, including passwords,
local registry parameters, cache store configuration information, H.323 Gatekeeper configuration,
reports, local settings, for application filters, performance-tuning parameters, cache contents,
and log files.
NOTE: The backup file can be saved to any drive on the local computer or on the network
by specifying a UNC or a mapped network drive path.
Using Arrays to Provide Fault Tolerance
Fault Tolerance is an important feature of an ISA Server cache array scenario, in which the
CARP algorithm is used to ensure that client requests are serviced by the appropriate ISA
Server. The array configuration ensures that even if one array member fails, the other array
member can continue to service client requests.
Fault Tolerance for the ISA Server Firewall service, however, varies among client and
installation types. For example, ISA Server alone cannot ensure fault tolerance and load
balancing in the following cases:
For SecureNAT clients, which cannot identify the ISA Server by array name.
For standalone servers, which cannot be grouped in arrays.
Fault Tolerance for Firewall Clients
For firewall clients, fault tolerance can be achieved when two or more ISA Server
computers are used with a DNS Server.
NOTE: Round Robin distribution is a mechanism used by DNS servers to share and
distribute loads for network resources. When DNS responds to resolve a name query,
it returns an IP address matching one of the ISA Server’s IP addresses.
=====================================================================
winisa7.html PAGE 6 2002/05/28
Fault Tolerance for SecureNAT
Clients
For SecureNAT clients, fault tolerance can be achieved for the firewall service when
two or more ISA Server computers are used together with Windows 2000 Advanced
Server Network Load Balancing. Network Load Balancing is one form or clustering in
Windows 2000. By combining the resources of two or more computers running Windows
2000 Advanced Server into a single cluster, Network Load Balancing delivers the
reliability and performance that Web servers and other mission-critical servers need.
Cache Array Routing Protocol
ISA Server uses the CARP to determine the best path through an array to resolve a
Web request. The request resolution path determines either exactly where in the array
the requested information is cached or whether ISA server must route the request to the
internet to retrieve the requested information.
How the CARP Works
together with the has function it computes for the name of each requested URL, to
determine which server should service the request.
request to another member server, specifying its intra-array IP address.
This process determines the location for all cached information, allowing Web browsers
or downstream servers to know exactly where a requested URL is stored locally (or will
be stored after caching).
CARP can be enabled for all outgoing Web requests (requests destined for a Web server
on the Internet), and disabled for all incoming Web requests (requests originating from the
Internet destined for an internal Web server).
Configuring CARP
By default, CARP is enabled for outgoing Web requests and disabled for incoming Web
requests. That is, by default ISA Server uses CARP to cache objects from outgoing Web
requests on any server in the array, but when reverse caching is enabled for server
publishing, objects from incoming Web requests are cached on one specific server.
=====================================================================
winisa7.html PAGE 7 2002/05/28
NOTE: In order for CARP to function for incoming Web requests, be sure that the IP
address that is used for intra-array communication, by default an internal IP address,
listens for requests on the same port as the IP address configured to listen for incoming
Web requests. (The default is port 80).
Configuring the Load Factor
The load factor determines how to divide the load among members of an array. Changing
this value increases or decreases the load on an ISA Server computer.
CARP and Scheduled Content Download
ISA Server checks for outgoing Web request settings for CARP when retrieving objects
for a scheduled content download job.
Lesson Summary:
servers do not need to be members of Windows 2000 domains and are not affected
by enterprise policies.
For Firewall clients, fault tolerance is achieved when two or more ISA Server
computers are used together with a DSN Server.
optimizes Web caching and routes Web requests. By default, ISA Server uses CARP
to cache objects from outgoing Web requests on any server in the array, but objects
cached from incoming Web requests are stored on a single server.
NOTE: Licensing is required only on the Processors, and user basis, could get quite expensive.
Lesson 3:
Securing Virtual Private Networks with ISA Server
users and other workers connecting across branch offices. Configuring VPN connections
in this way is simplified through the use of ISA Server’s VPN wizards, which are accessed
through the Network Configuration node of ISA Management.
=====================================================================
winisa7.html PAGE 8 2002/05/28
Integrating Virtual Private Networks with ISA Server
The computers uses PPTP or L2TP to manage tunnels and encapsulate private data. Data
that is tunneled must also be encrypted to use a VPN connection.
Configuring the Network for VPN Connectivity
A network connection is configured on the ISA Server computer to connect to the Internet
Service Provider (ISP). The ISA Server computer also has a network adapter connected
to the internal network.
For roaming users, the client computers must already have a connection configured,
(typically, a dial-up connection is configured in the Network and Dial-up Connections
window) to connect to a local ISP.
For users connecting to an ISA Server network from a branch office behind another ISA
Server computer, the connection is configured by running both the local and remote ISA
Server VPN configuration wizards on each ISA Server computer.
A file with a .vpc extension is created by
the wizard.
Remote ISA Server VPN Configuration Wizard
The Remote ISA Server VPN Configuration Wizard sets up a remote ISA VPN server
that initiates connections to a local ISA VPN server. The wizard uses the .vpc file that
the local ISA Server VPN Connection wizard creates to configure any dial-on-demand
interfaces that are required to initiate connections to a specific local VPN server.
ISA Virtual Private Network Configuration Wizard
The VPN server supports both PPTP and IPSecurity/L2TP tunnels and opens the
appropriate ports on the ISA Server computer to allow clients to connect to the VPN
service.
=====================================================================
winisa7.html PAGE 9 2002/05/28
ISA Server and IPSec
When ISA Server is configured as an IPSec/L2TP server, the IPSec driver is
enabled on the ISA Server computer.
When IPSec is not enabled on the ISA Server computer, the ISA Server policy controls
which packets are allowed and which are blocked. The policy also logs all traffic that
passes through the ISA Server, including IPSec AH and ESP protocols.
Lesson Summary:
computer on a remote network through an ISA Server computer, the computer uses
either PPTP or L2TP to manage tunnels and encapsulate private data. This is
known as a virtual private network (VPN).