ISA is different than what most small business consultants are used to seeing. It is an enterprise class firewall with features well beyond those seen in any other firewall deployed in a small business setting. It is necessary to understand some basic concepts before attempting to troubleshoot or customize the configuration. Understanding ISA Client TypesProbably one of most confusing things about ISA server for new administrators is client types. ISA recognizes three different types of clients: SecureNat, Web Proxy, and Firewall. Windows-based computers can be all three. The SecureNat ClientA SecureNat client is one that is configured with its gateway address pointing at the internal IP address of the SBS server. Servers on your network are configured as SecureNat clients as will be non-Microsoft operating systems. The SecureNat client can only access protocols that are in the protocol list and don't require any secondary connections. This is also the only client type that can use non-TCP or UDP connections such as ICMP (ping). A typical workstation in an SBS network running a Windows operating system such as Windows XP will access the ISA server as a SecureNat client only when using non-tcp or udp connections. To configure a non-Microsoft operating system computer or a server as a SecureNat client simply configure the gateway address in your TCP/IP settings with the internal IP address of your SBS server. In the ISA logs, traffic being sent from SecureNat clients is logged with the originating IP address only because there is no mechanism for passing the username and password along to ISA. This limits your ability to control Internet access for these clients. The Web Proxy ClientA Web Proxy client is one that is configured to send requests to ISA's web proxy feature using a particular port. In the case of SBS, this port is 8080. This client type supports only http, https and ftp downloads. The username and password are passed from Windows to the ISA Server for access control purposes. Follow these steps to configure a Web Proxy client:
The Firewall ClientA Firewall Client is one in which the ISA Firewall Client software has been installed, configured, and enabled. The Firewall Client is a powerful tool and should be installed wherever possible. The Firewall Client does not require that a protocol definition be defined on the ISA Server for the client to use that protocol. It can send username and password credentials from Windows and from any Winsock-enabled application to the ISA Server. Installing the Firewall Client often eliminates any problems that users are having accessing a particular website or using a web-enabled application. When installed the Firewall Client intercepts any tcp or udp traffic and sends it on to the proxy with credentials included. Further, this information is sent as encrypted data using Kerberos, thwarting the sniffing of username and passwords of web-enabled applications. Considering that many small businesses use web applications for payroll, 401k management and deposits, and online banking, encrypting the transmission is an excellent idea.
The Firewall Client software is found on your SBS server under c:\program files\Microsoft ISA Server\clients. The firewall client folder is shared by default as mspclnt. To install the Firewall Client run Setup.exe from this folder. The installer walks you through the installation process. It is a straightforward process. When the installation is complete, a reboot is recommended, and you'll notice the Firewall Client icon in the system tray. Note You need to be logged in with local administrator rights to perform the installation of the Firewall Client. Note If you are upgrading from ISA 2000 and your clients have the Firewall Client already installed, you'll need to uninstall the ISA 2000 Firewall Client before installing the ISA 2004 Firewall Client. Fortunately, the icons in the system are different so you'll be able to easily spot whether a particular workstation has been updated. By default ISA Server accepts either the ISA 2000 Firewall Client or the new ISA 2004 Firewall Client. However, if you want to be sure that the data sent via Firewall Client is always encrypted data, you can set ISA to require the new client.
Unless you have already set up automatic configuration for your Firewall Client application, you'll need to specify the name of your SBS server in the Configuration tab of the client on each computer. Follow these steps to configure the Firewall Client on each workstation:
To see the various clients in action on your network, open the ISA Management MMC. Follow these steps:
Follow these steps to assign the Firewall Client to client computers:
As Figure 23.11 demonstrates, when you are finished, the Firewall Client is listed as an application that can be assigned to your client computers. Figure 23.11. The Firewall Client is not configured for automatic deployment to the client computers by default but can be added.Managing Log InformationISA logs a lot of information. When you are attempting to troubleshoot a problem and watching for traffic of a particular type you'll quickly realize that there is a lot of NETBIOS-related traffic diverting your attention.
In particular, the rule Allow Access from Trusted Computers to the Firewall Client Installation Share on ISA Server generates a huge number of log events. This rule is a system rule and can't be altered except through system policy, but you can turn off logging for this rule in the Firewall Policy. Doing so not only makes your log easier to read but also reduces the space requirements for log storage and the RAM that the SQL Server instance for ISA logging requires. To turn off logging for this rule you first have to be able to select it in Firewall Policy. By default all the System Policy rules are hidden from view. At the top of the page, click the View menu and select Show System Policy Rules (see Figure 23.12). This exposes the System Policy rules in the Firewall Policy window. These rules are created by the predefined SBS security template applied during installation. Figure 23.12. The Show System Policy Rules option is found under View and also as a button in the Task list.To disable logging for a particular rule, follow these steps:
Note If you would rather not disable logging for this policy but want to reduce the amount of RAM that the log generation uses, there is another option: You can reduce the amount of RAM that the SQL Server instance is allowed to use for firewall logging. For a good tutorial on this, see http://www.smallbizserver.net/Default.aspx?tabid=247. Maintaining ISA Log FilesBy default ISA keeps up to 16GB of log files on your server. Storage space on SBS servers is almost always at a premium, and small businesses would probably rather use that 16GB for something other than ISA Server logs. Fortunately, ISA has a log maintenance feature buried under the Monitoring section of ISA Management where you can change not only how much space the logs take up but also where the logs are stored, and you can force them to leave some free space on the drive. To adjust the amount of space that logs may potentially take up on your server follow these steps:
Note The SMTP message filter is disabled by default in SBS, so unless you've enabled it, it isn't really necessary to modify the log settings here.
ISA Lockdown ModeSBS 2003 SP1 comes prehardened, so in general there is no need to make changes typical of hardening, such as stopping services or moving them from automatic to manual. This has already been done for you. However, you may want to implement safeguard: an alert that puts ISA Server into Lockdown mode if the firewall fails to log events. ISA 2004 Server Firewall Service fails closed. This means that if the Firewall Service stops, the ISA Server launches into Lockdown mode. Lockdown mode leaves the ISA Server isolated but still connected to the Internet. You'll want to review the Help file for a complete list of exactly what happens when your server enters Lockdown mode, but in summary: ping from internal is allowed, outgoing web requests are allowed, remote management is allowed, no incoming web requests are allowed, and VPN connections are not allowed. This combination allows an administrator to access the server, review the logs for troubleshooting and/or investigative work, and restart the Firewall Service when the problem is resolved. Note While in Lockdown mode any changes that you make to the Firewall Policy do not take effect until the Firewall Service is restarted. Microsoft's hardening guide recommends that you set up an alert if your ISA Server is unable to log events. A failure to log events would mean that in the event of an intrusion you'd be flying blind in your attempts to determine when the intrusion occurred and by what means. In SBS the Logging alert is already set up for you. If you want to have this alert trigger Lockdown mode, you will need to edit the alert. To edit the alert, follow these steps:
Caution Should the drive that ISA is logging to fill or ISA become unable to reach its location, this alert will be triggered. Therefore, make sure that your logs have plenty of room, and choose a local drive if possible. Client ConnectionsISA 2004 can be installed on your server as an upgrade from ISA 2000 or as a new install. As of this writing, few differences have been noticed. The upgrade option actually exports your settings, translates them to ISA 2004, and imports the settings leaving you with an identically functioning network. One difference that has caught the attention of locations that use secure websites extensively is client connections. Client connections are limited to 160 in a new installation of ISA 2004 and 40 in an upgrade from ISA 2000. The purpose of limiting client connections is to prevent a single workstation from flooding the network. Speaking from experience, having a Trojan-infected computer show up on your network, in this case a roaming laptop, and take up all the bandwidth to the Internet by generating thousands of connections is a bad thing. It brings your network to its knees, and it's difficult to track without a high-quality firewall such as ISA 2004. The company in question went through several different consulting companies and spent thousands of dollars before getting the problem resolved. If the company had had an ISA 2004 server, it would not have even had a problem; the infected laptop would have been identified in the logs as having exceeded its connection allotment. Having as few client connections as your clients need to work is a good thing. When the client connections are exceeded, that client won't be able to open any additional connections, and an alert will be triggered.
If you have performed an upgrade of ISA 2000 to ISA 2004, you may find that you need to increase the number of client connections. To increase the number of connections allowed per client, follow these steps:
Internet AccelerationAcceleration of the Internet is a big part of the name of ISA Server, but in reality it's a small part of what it does. It's kind of funny really, because one of the criticisms of ISA by those who haven't investigated it, since its forerunner Proxy 1.0 came out, is that it's just a cache server. Small businesses are enjoying greater bandwidth than ever. Not that long ago T1 speeds were reserved for those with big budgets, but thanks to advances in DSL and cable Internet technologies even the smallest business can afford the Internet at high speed. Even so, the use of the Internet by employees at small businesses demands efficient use of the bandwidth. This is what caching does for your business; it makes efficient use of your bandwidth. The default cache size is set at 100MB on the drive that ISA is installed. This is the minimum recommended setting. An additional .5MB for each web proxy client is recommended. Because Microsoft doesn't know how many clients you have at the time of installation, this configuration item is left for you to do. To adjust the cache settings, follow these steps:
Controlling Cache Free Memory UseISA can get carried away and use up more free memory than would be best considering all the applications that your SBS server has to run simultaneously. To adjust the amount of free memory that ISA uses for caching, follow these steps:
|