Chapter 1: Overview of Microsoft ISA Server 2004 Administration
Figure 1-1: Comparison of OSI Layer 4 and Layer 7 firewalls.
Figure 1-2: The ISA Server 2000 Management console is very basic compared to the rich features in the ISA Server 2004 Management console.
Figure 1-3: Tabbed pages in the ISA Server 2004 Management console make accessing common tasks simpler.
Chapter 2: Installing and Configuring Microsoft ISA Server 2004 Standard Edition
Figure 2-1: The setup splash screen contains useful links to explore in addition to the link to start your ISA Server installation.
Figure 2-2: You have flexibility in how you define your internal network addresses in ISA Server 2004.
Figure 2-3: The Change/Remove option for ISA Server 2004 in the Add/Remove Programs interface.
Figure 2-4: When you click Show System Policy Rules on the Tasks tab, system policies appear in the center Firewall Policy pane.
Figure 2-5: The System Policy Editor allows you to configure system policies from a single interface.
Figure 2-6: The Getting Started pane guides you through the options available for configuring ISA Server.
Figure 2-7: The ISA Server Cache node is located on the Configuration menu.
Figure 2-8: Define the amount of space for your cache in megabytes.
Figure 2-9: To configure the cache properties, use the Cache Settings dialog box.
Figure 2-10: Using a descriptive name on the Welcome To The New Cache Rule Wizard page helps you manage jobs.
Figure 2-11: You can create new network entities, like Domain Name Sets, from within the Add Network Entities dialog box.
Figure 2-12: Specify the URL (Web link) from which a content download job will pull content.
Figure 2-13: Specify the contents of the cache, and the TTL for the objects pulled down by the content download job.
Chapter 3: Installing and Configuring Microsoft ISA Server 2004 Enterprise Edition
Figure 3-1: Select the environment into which you will install the CSS.
Figure 3-2: Select the components you wish to install on the Setup Scenarios page.
Figure 3-3: Enter the IP address ranges or Enterprise Networks that define your network.
Figure 3-4: Specify a user account when installing CSS on a domain controller, and give it a long and complex password.
Figure 3-5: A back-to-back scenario.
Figure 3-6: In a back-to-back configuration, configure the gateway address of the internal network adapter of the Front array to that of the External network adapter of the Back array server.
Figure 3-7: Specifying an alternate CSS server
Figure 3-8: The Getting Started pane guides you through the options available for configuring your ISA server.
Chapter 4: Installing and Configuring Microsoft ISA Server 2004 Clients
Figure 4-1: This chart shows how the different ISA Server clients compare based on different requirements.
Figure 4-2: This diagram shows how complex networks route Secure NAT client traffic.
Figure 4-3: You can configure the Web Proxy properties on the ISA server by selecting the properties of the network.
Figure 4-4: You can configure the Web Proxy authentication properties to control how clients identify themselves to the ISA server.
Figure 4-5: Firewall client support must be enabled on the ISA server in the Networks interface.
Figure 4-6: You can manage Connection settings for Firewall clients from the ISA Server Management console.
Figure 4-7: You can manage how ISA Server processes application traffic using the Application Settings tab.
Figure 4-8: The ISA Server Firewall client processes configuration settings for the client applying the most unique settings first, then moving to the more general. Settings most specific to the user have higher priority.
Figure 4-9: The Firewall client icon—which you can double-click to bring up configuration options—appears in the notification area and in Control Panel.
Figure 4-10: You can configure the Firewall client from this dialog box.
Chapter 5: Upgrading from Microsoft ISA Server 2000
Figure 5-1: From this screen you can read supporting documentation, run the Migration Wizard, or start the installation of ISA Server.
Figure 5-2: This dialog box sets the level of protection for ISA Server.
Figure 5-3: Choose to install the CSS.
Figure 5-4: Select the components required to install and manage the CSS.
Figure 5-5: Configure the CSS Service account information.
Figure 5-6: You can import the settings from the ISA Server 2000 configuration when upgrading to ISA Server 2004.
Figure 5-7: Export the configuration of an ISA Server 2004 machine before upgrading to Enterprise Edition.
Chapter 6: Monitoring and Reporting
Figure 6-1: To receive alerts by e-mail, the SMTP server information must be entered and verified.
Figure 6-2: If you would like to execute a program after an alert is triggered, the program and an account with sufficient access needs to be configured.
Figure 6-3: You can configure an alert to start one or all ISA Server services.
Figure 6-4: You have a lot of control over the types of filters you would like to configure, which can even be saved for future use.
Figure 6-5: Creating a connectivity verifier to ensure communications on your network.
Figure 6-6: Logging to an SQL database requires a predefined ODBC Data Source Name (DSN), a data table, and an account with appropriate permissions.
Figure 6-7: You can publish reports to a network share for increased visibility and ease of access.
Figure 6-8: E-mail notifications can be sent to notify you when reports have been generated.
Figure 6-9: You can determine the frequency with which the report job will run.
Figure 6-10: Log summaries are essential to gathering reporting data.
Figure 6-11: The default performance console is configured to capture several key objects and their most useful counters.
Chapter 7: Configuring Toolbox Elements
Figure 7-1: This diagram shows the way in which ISA Server manages traffic in Access, Server Publishing, and Web rules.
Figure 7-2: This view shows the toolbox elements available. This screen shows an ISA Server Enterprise Edition installation—the Standard Edition installation is similar, but does not include the Enterprise node.
Figure 7-3: You can create a new protocol by configuring the information about its connection, including the protocol type, direction, and port range or properties.
Figure 7-4: Defining a new content type—like this example where we're defining Pointcast news data—allows you to control traffic based on application type, which is defined by MIME types or file extensions.
Figure 7-5: This schedule defines active times as being from 9—00 PM to 6—00 AM on weekdays.
Figure 7-6: You select the networks you wish to include or exclude from your network set on the Network Selection page.
Figure 7-7: You can define any device with an IP address as a computer object—in this case we are defining a wireless access point.
Figure 7-8: You can specify the subnet mask in the Network Mask text box.
Figure 7-9: You can create a URL set, which consists of one or more URLs, using wildcards.
Figure 7-10: Domain name sets allow you to block or allow sites based on DNS domain names.
Figure 7-11: You can choose from a predefined network.
Figure 7-12: The External Network Listener IP Selection dialog box provides granular control of the IP addresses used by the external Web listener.
Chapter 8: Configuring Microsoft ISA Server Firewall Policy
Figure 8-1: ISA Server processes network rules, system policy rules, and then firewall policy rules when inspecting network traffic. After the rules are processed, the network rules determine whether to route or NAT the traffic. Finally client-specific rules are processed.
Figure 8-2: The System Policy Editor in ISA Server 2004.
Figure 8-3: Each policy has a General tab that illustrates the properties, and either a From or To tab that controls the source or destination to which the policy applies.
Figure 8-4: If you select this option, be sure to protect the exported file, as it contains confidential information.
Figure 8-5: The Read Only check box allows downloads without allowing uploads, reducing the possibility of systems or data being compromised.
Figure 8-6: Use the HTTP filter for fine control of HTTP traffic on a per-rule basis.
Figure 8-7: This policy defines how the ISA server processes RPC traffic.
Figure 8-8: This dialog box allows you to configure how ISA Server manages RPC traffic for this particular rule.
Figure 8-9: You can determine to which protocols the rule applies on this page.
Figure 8-10: Notice how the icon has changed to reflect the disabled access rule.
Figure 8-11: The Define Website To Publish page is very important to configure correctly.
Figure 8-12: From the rule's Properties dialog box you can configure additional information, like Link Translation.
Figure 8-13: Don't select the Delete The Private Key If The Export Is Successful check box, as it will remove the private key (which is necessary) from the Web server.
Figure 8-14: The images and descriptions of SSL Bridging and SSL Tunneling add a nice touch to this wizard.
Figure 8-15: Bridging mode options define what type of protocol (HTTP or HTTPS) access you will support to the ISA server and how you will send the traffic to the published secure Web server.
Figure 8-16: The Public Name setting is what Internet clients would type in their browsers to access this Web site.
Figure 8-17: You can choose from any existing networks to define which IP address ranges will listen for requests for the published Web server.
Figure 8-18: You have a lot of control over which IP addresses from the selected networks will listen for requests directed to the published Web server.
Figure 8-19: You can choose from one of 24 different pre-created protocols, or define your own.
Figure 8-20: The view of the Select Services page publishing Outlook Web Access, Outlook Mobile Access, or Exchange ActiveSync.
Figure 8-21: The view of the Select Services page publishing Outlook (RPC), POP3, IMAP4, and SMTP.
Figure 8-22: The view of the Select Services page publishing SMTP and NNTP.
Chapter 9: Configuring Multinetworking
Figure 9-1: There are several different types of firewall policies for you to choose from when configuring your ISA server using network templates.
Figure 9-2: A network rule can enforce the relationship between any two networks to use NAT or routing.
Figure 9-3: You have several options when defining how client requests should be proxied or forwarded to an upstream server when dealing with Web chaining.
Figure 9-4: This Properties dialog box lets you configure how requests are routed to the upstream server.
Chapter 10: Microsoft ISA Server Security and Administration
Figure 10-1: Role-based delegation allows you to assign roles to administrators of your ISA Server environment.
Figure 10-2: You can configure how ISA Server should use your dial-up or VPN connection to the ISP.
Figure 10-3: You can determine how incoming client certificates are verified in multiple scenarios.
Figure 10-4: Viewing the ISA Server computer details provides you with a quick reference to common ISA Server information.
Figure 10-5: The use of a RADIUS server is beneficial for authentication when the Web client and ISA Server are not in the same domain.
Figure 10-6: Connection limits are important for preventing a worm from bringing down your corporate network, as alerts will be triggered when the values you have set are exceeded.
Figure 11-1: The VPN Clients Properties dialog box allows you to configure remote VPN clients.
Figure 11-2: The User Mapping option allows RADIUS and EAP clients to process user-and group-based access rules. If ISA Server is not a member of a domain in which the user accounts for domain mapping rest, your VPN clients cannot connect.
Figure 11-3: Choose the networks that ISA Server will use to establish VPN connections.
Figure 11-4: When configuring a VPN, select the source for IP addresses and infrastructure services.
Figure 11-5: You can use RADIUS authentication for your VPN clients, which allows authentication with Active Directory if your ISA Server computer is not a member of your domain.
Figure 11-6: Configure the RADIUS Server information used for authentication.
Figure 11-7: Enable the user's account in Active Directory to allow access using VPN.
Figure 11-8: Use the Network Connection Wizard to create a connection from your client computer to the VPN on your ISA server.
Figure 11-9: Connecting a primary site and a secondary site using ISA Server's site-to-site VPN configuration.
Figure 11-10: When setting up accounts for your VPN gateway, use the name of the remote VPN server's demand dial interface.
Figure 11-11: The Remote Sites tab allows you to configure site-to-site VPN connections. Use the Tasks pane to perform actions.
Figure 11-12: Depending on the VPN protocol you select, you will see different pages, as described next.
Figure 11-13: Depending on whether you're using the Enterprise Edition or Standard Edition of ISA Server, you will see this information in either a pop-up dialog box or as a page.
Figure 11-14: These rules allow all outbound traffic for all users—your access rules should be more specific based on your traffic requirements analysis and usage scenarios.
Chapter 12: Scripting with Microsoft ISA Server 2004
Figure 12-1: One of the advanced functions of PrimalScript is that it provides the object model in a drop-down menu to speed scripting functions.
Figure 12-2: The GetContainingServer Method entry in the SDK provides detailed information regarding the properties and usage of the method.
Chapter 13: Configuring Arrays Using Centralized Management
Figure 13-1: Configure the array name and array DNS name on the General tab.
Figure 13-2: Unlike in ISA Server 2000, ISA Server 2004 now provides the capability to "allow" access rules at the array level.
Figure 13-3: The CSS stores the array policy information for all array members.
Figure 13-4: Choose the appropriate authentication option based on your network configuration— domain members or workgroup mode.
Figure 13-5: Assign roles to various users or groups to manage who can connect to the CSS.
Figure 13-6: Click Help if you are unsure about deleting the array.
Figure 13-7: The Getting Started page guides you through the options available for configuring your array.
Figure 13-8: The Configuration tab is very useful for checking that all array members are in sync.
Chapter 14: Using Enterprise and Array Policies
Figure 14-1: The Default Policy and the Default Rule created out of the box cannot be changed.
Figure 14-2: The Ports option gives you granular control over the types of traffic that can originate from source ports. This is a per-rule setting.
Figure 14-3: Select both check boxes to ensure that the complete ISA Server configuration is being exported.
Figure 14-4: Confirm that you want to overwrite the existing configuration before clicking OK.
Figure 14-5: The IP address of the remote CSS must be in the Remote Management Computers computer set.
Figure 14-6: Ensure you have accounts with appropriate credentials or you will have difficulty connecting to a remote CSS.
Figure 14-7: The flow of effective policies in ISA Server 2004 is much improved.
Figure 14-8: To grant array administrators the ability to create all types of access rules, select all three appropriate check boxes.
Figure 14-9: The ability to create access rules is denied if the policy settings for the array are not configured properly.
Chapter 15: Working with Enterprise Technologies and Microsoft ISA Server 2004
Figure 15-1: You have the option to apply certain settings immediately by restarting the services, which might affect connected users, or to wait to restart the services at a later time.
Figure 15-2: CARP can be configured on a per-network basis in ISA Server 2004 Enterprise Edition.
Figure 15-3: You can change the default load factor of 100 on any array member from the CARP tab.
Figure 15-4: You will be presented with an informative message that is important to follow to properly configure NLB.
Chapter 16: Configuring Microsoft ISA Server with Microsoft Exchange Server 2003
Figure 16-1: Forms-based authentication with ISA Server 2004 and Outlook Web Access.
Figure 16-2: A split DNS ensures that clients can always resolve the IP address for mail regardless of their location—when inside the network, they use the internal Exchange server IP address; when outside, they use the IP address for the ISA server's external network adapter.
Figure 16-3: Configure the RPC over HTTP publication rule to point to the Exchange server's RPC path.
Figure 16-4: Configure the RPC Proxy settings for Outlook to connect to your Exchange server.
Chapter 17: Configuring Microsoft ISA Server with Microsoft Sharepoint Portal Server 2003
Figure 17-1: You should define the internal name when publishing the SharePoint site.
Figure 17-2: This screen shot shows the publicly accessible name for the SharePoint site.
Figure 17-3: Ensure the Verify Normalization check box is cleared.
Figure 17-4: You should configure link translation in the Web Publishing Rule Properties dialog box.
Figure 17-5: This illustration shows an example of a split DNS configuration where internal and external DNS servers provide different addresses for the same DNS zone.
Figure 17-6: Link translation modifies references to internal server names and addresses to externally accessible names.
Figure 17-7: It's important that you provide the internal name of the SharePoint Portal Server server when completing this step.
Figure 17-8: You should configure the Public Name Details when completing the Public Name Details page.
Figure 17-9: Two dictionary entries for link translations should be created— one for the inside-name of the SPS server and one for the inside IP of the SPS server.
Figure 17-10: Configure basic authentication for the SharePoint Portal site.
Figure 17-11: Forwarding basic authentication is necessary for successful completion of the publishing rule.
Figure 17-12: You should configure alternate access settings within the SharePoint Portal Server configuration.
Figure 17-13: Configure the appropriate proxy settings for the SharePoint Portal Server site.
Chapter 18: Configuring Microsoft ISA Server with Microsoft Operations Manager 2005
Figure 18-1: The Operator console is very user-friendly, especially for those familiar with Outlook 2003.
Figure 18-2: The wizard assists you in getting the MOM agent deployed to your ISA servers.
Figure 18-3: You have flexibility in your search for computers to receive the agent.
Figure 18-4: The default installation path can be modified as necessary.
Figure 18-5: 1270 is the default port number used between the agent and the MOM Management server.
Figure 18-6: You can extract the ISA Server 2004 management pack for a later import.
Figure 18-7: In this example, you want to import only the management pack, and not the reports.
Figure 18-8: Backing up any existing management packs is preferred if not starting from scratch.
Figure 18-9: After the import has completed, you can begin to view the default settings applied with the ISA Server 2004 management pack.
Figure 18-10: Several rule groups are created for both ISA Server 2000 and ISA Server 2004.
Figure 18-11: You will find it helpful for ongoing administration to provide as much information in the text boxes as possible.
Figure 18-12: You can include the seven ISA Server computer groups as part of a new computer group.
Figure 18-13: Various options for assisting with your computer searches are available.
Figure 18-14: You can clearly designate the state of your servers based on the model.
Figure 18-15: Reporting services offers a method for running weekly or monthly reports, with a variety of file export options available.
Chapter 19: Configuring Microsoft ISA Server with Microsoft Virtual Server 2005
Figure 19-1: This screenshot shows the configuration of the test lab being created in this chapter.
Figure 19-2: You can create multiple types of virtual hard disks.
Figure 19-3: You can create a dynamically expanding virtual hard disk and specify the maximum size for the hard disk and the physical location of the virtual hard disk file.
Figure 19-4: You can create new virtual networks as needed within the Virtual Server console.
Figure 19-5: This shows a Virtual Server with four separate virtual networks.
Figure 19-6: You can control various aspects of a new virtual machine, including its physical location, during creation.
Figure 19-7: You can turn on a virtual machine from the Virtual Server interface.
Figure 19-8: The virtual machine can be controlled through the Virtual Server Web interface.
Figure 19-9: You can edit the configuration of the virtual machine to change items such as memory, processor utilization, network adapters, and virtual disks.
Figure 19-10: You can add multiple virtual network adapters to each virtual machine and connect those virtual network adapters to the appropriate virtual networks.
Figure 19-11: Two separate virtual network adapters are connected to two separate virtual networks. These correspond to the internal and external networks in the ISA Server 2004 configuration.
Figure 19-12: This screenshot shows the two network adapters that the ISA Server 2004 virtual machine sees. These correspond to the virtual network adapters added previously.
Chapter 20: Configuring Microsoft ISA Server 2004 with Microsoft Small Business Server 2003
Figure 20-1: Install ISA Server 2004 onto an SBS 2003 computer using the Service Pack 1 CDs from Microsoft.
Figure 20-2: SBS 2003 uses the Configure E-Mail and Internet Connection Wizard to configure the initial settings for ISA Server. You can then configure more detailed settings.
Figure 20-3: The Broadband Connection page allows you to choose the type of broadband connection you use.
Figure 20-4: Enter the information for your dial-up account.
Figure 20-5: Type in your DNS and router information here.
Figure 20-6: Enter the default gateway used by your ISP and the DNS server addresses that will resolve host names.
Figure 20-7: The Web Services Configuration page provides you with an easy way to create publishing rules for the different Web services provided by SBS 2003.
Figure 20-8: Type the domain name that your e-mail addresses will use.
Figure 20-9: The Configure E-Mail and Internet Connection Wizard configures SBS 2003 based on the settings you choose in the wizard.
Figure 20-10: Although not directly related to ISA Server, configuring Password Policies is a vital step toward having a secured SBS 2003 environment.