Chapter 10: Microsoft ISA Server Security and Administration


The focus on this chapter is the General node in the ISA Server Management console. This includes the ISA Server Administration and Additional Security Policy sections in the details pane of the console. Although a few of the topics like firewall chaining and administration delegation have been discussed in various chapters, we touch on each task in this chapter, provide the explanations and procedures to support each task, and provide cross-references to places in the other chapters when appropriate.

ISA Server Administration

In this section of the chapter, we illustrate how to configure the following items:

  • Administrator delegation

  • Firewall chaining

  • Dial-up preferences

  • Certificate revocation

  • Firewall client settings

  • ISA Server computer details

  • Link translation

Delegating Administration

The Administration Delegation Wizard in ISA Server 2004 gives you the ability to delegate certain administrative tasks and responsibilities to other administrators on your support staff. It contains three built-in roles from which you can choose:

  • ISA Server Basic Monitoring

  • ISA Server Extended Monitoring

  • ISA Server Full Administrator

In Chapter 2, "Installing and Configuring Microsoft ISA Server 2004 Standard Edition," we explained the purpose of each of these roles in the section entitled "Assigning ISA Server Administrative Roles." In this section, we walk you through how to perform delegation tasks using the Administration Delegation Wizard.

To delegate ISA Server functions to your ISA Server administrators, follow these steps:

  1. Open the ISA Server Management console. In the console tree, expand the server name, expand the Configuration node, and then click General.

  2. In the details pane, under ISA Server Administration, click Administration Delegation.

  3. On the Welcome To The ISA Server Administration Delegation Wizard page, read about the purpose of the wizard, and then click Next.

  4. On the Delegate Control page, specify the users and groups that will be assigned roles. Click Add to open the Administration Delegation dialog box, as shown in Figure 10-1. Either type the name of the user or group in the Group (Recommended) Or User text box, or click Browse to choose the user or group. Click the Role drop-down list to select one of the three defined ISA Server roles. Click OK and then click Next to continue.

    Note 

    The wizard can also be used to edit or remove delegated access by selecting the user or group, and clicking Edit or Remove.

  5. On the Completing The Administration Delegation Wizard page, review the summary of information, and click Finish.

  6. In the details pane, click Apply to save your changes, and then click OK.

image from book
Figure 10-1: Role-based delegation allows you to assign roles to administrators of your ISA Server environment.

Configuring Firewall Chaining

Firewall chaining is the ability to redirect firewall client or SecureNAT client requests to an upstream ISA Server computer. Details on how to configure firewall chaining are given in Chapter 9, "Configuring Multinetworking," in the section entitled "Firewall Chaining."

Configuring Dial-Up Preferences

Dial-up connections, although not as common today as 5 to 10 years ago, are still the only way some companies can obtain Internet connectivity. To properly configure your ISA Server 2004 computer to use a dial-up connection, complete the following two steps:

  1. Create a dial-up or VPN connection using the Network Connections program in the Control Panel on your ISA server.

    For instructions on creating a new network connection, see the Windows Server 2003 Help File, or the Microsoft Windows Server 2003 Administrator Pocket Consultant written by William Stanek and published by Microsoft Press.

  2. Specify the dial-up preferences to use the connection created in Step 1, as discussed in this section.

To specify the dial-up preferences, follow these steps:

  1. Open the ISA Server Management console. In the console tree, expand the server name, expand the Configuration node, and click General.

  2. In the details pane, under ISA Server Administration, click Specify Dial-Up Preferences.

  3. In the Dialing Configuration dialog box shown in Figure 10-2, specify the dialup preferences as explained below, and then click OK.

    • I Will Dial The Connection Myself Requires you, as the ISA server administrator, to initiate the connection before your users on the protected networks can access the Internet.

    • Allow Automatic Dialing To This Network Allows the ISA server to dial the connection when users on the protected networks request access to the Internet. You must then specify a network in the drop-down list.

    • Configure This Dial-Up Connection As The Default Gateway Check box to configure the ISA server to use the default gateway settings of the VPN server instead of the default gateway settings defined within its Internet Protocol (IP) stack.

    • Use The Following Dial-Up Connection Allows you to select the dial-up connection created earlier. Click Select to choose the connection to use.

    • Use This Account Allows you to define the credentials assigned to you by your Internet service provider (ISP). Click Set Account to type the user name and the password.

image from book
Figure 10-2: You can configure how ISA Server should use your dial-up or VPN connection to the ISP.

Certificate Revocation

The purpose of certificate revocation is to verify whether the incoming certificates are no longer valid by checking them against the certificate revocation list (CRL) and denying access to any certificates listed. To configure certificate revocation, follow these steps:

  1. Open the ISA Server Management console. In the console tree, expand the server name, expand the Configuration node, and click General.

  2. In the details pane, under ISA Server Administration, click Specify Certificate Revocation.

  3. In the Certificate Validation dialog box, shown in Figure 10-3, select the appropriate check boxes to determine how ISA Server verifies client certificates.

    • Verify That Incoming Client Certificates Are Not Revoked ISA Server checks the CRL and denies access to any incoming client whose certificate appears to be revoked.

    • Verify That Incoming Server Certificates Are Not Revoked In A Forward Scenario Ensures that ISA Server checks for revoked certificates when acting as a Web proxy.

    • Verify That Incoming Server Certificates Are Not Revoked In A Reverse Scenario Ensures that ISA Server checks for revoked certificates when publishing Web servers.

  4. Click OK.

image from book
Figure 10-3: You can determine how incoming client certificates are verified in multiple scenarios.

Defining Firewall Client Settings

You can configure settings for how the firewall clients installed in your environment interact with ISA Server. To configure these settings, follow these steps:

  1. Open the ISA Server Management console. In the console tree, expand the server name, expand the Configuration node, and click General.

  2. In the details pane, under ISA Server Administration, click Define Firewall Client Settings.

  3. In the Firewall Client Settings dialog box are two tabs, Connection and Application Settings. The configurable settings are described in Table 10-1.

  4. Click OK when you have finished.

Table 10-1: Configuring Firewall Client Settings

Tab Name

Explanation

Connection

ISA Server 2004 provides encryption between the firewall clients and ISA Server. For earlier versions of the firewall client, the encryption is not supported. To allow earlier versions of the firewall client to connect to the ISA Server unencrypted, select the Allow Non-Encrypted Firewall Client Connections check box.

Application Settings

Shows the application settings that are configured in the server-side copy of the client configuration file. For further details, see the ISA Server Help file.

For more detailed information about firewall settings and how to configure them, see Chapter 4, "Installing and Configuring Microsoft ISA Server 2004 Clients."

Viewing ISA Server Details

ISA Server details can be presented on one property page from within the ISA Server 2004 Management console. The summarization of items like your ISA Server computer name, version, product ID, and installation directory provides quick access to information about your ISA Server installation.

To view your ISA Server details, follow these steps:

  1. Open the ISA Server Management console. In the console tree, expand the server name, expand the Configuration node, and click General.

  2. In the details pane, under ISA Server Administration, click View ISA Server Computer Details.

  3. In the Server Name Properties dialog box, you can quickly see settings like Full Computer Name, ISA Server Version, Product ID, Created, and Installation Directory, as shown in Figure 10-4. This information is helpful when you need to check your ISA Server version to determine what service pack level you might be on.

    Note 

    ISA Server Standard Edition Service Pack 1 alters the ISA Server version to 4.0.2161.50.

  4. Click OK when you have finished.

image from book
Figure 10-4: Viewing the ISA Server computer details provides you with a quick reference to common ISA Server information.

Configuring Link Translation

The link translation feature is designed to allow for situations where internally published sites may have different links inside the network from those outside the network. Link translation is required only for absolute Uniform Resource Locators (URLs). Absolute URLs in a Web page would look like this:

 <A HREF = "http://www.contoso.com/sites/one.htm">Page Title</A> 

A relative link would look like this:

 <A HREF = "/sites/one.htm">Page Title</A> 

Relative links do not need to be translated, because they do not contain the server name. The client's browser always retrieves relative links from the server to which it is currently connected. Absolute links do have a server name, however, and may require translation if the server name is different internally and externally. The translation must occur, whether the server being linked to is the same server that hosts the original page or a different server. In such cases the administrator can manually specify links that are not being translated because of the above-listed problems.

Some default behaviors are available with link translation (as defined by the Default Link Translation Library). For example, ISA Server will automatically translate all links where the link contains a host header matching the server name or IP used in the publishing rule. ISA Server also will translate Web sites being published on a non-standard port, like 8171 on the ISA server, and 80 on the internal network. Link translation will translate requests from the internal Web server to 8171 on the ISA server.

Note 

Remember that you can enable link translation for individual Web publishing rules (see Chapter 8, "Configuring Microsoft ISA Server Firewall Policy," for more details). The settings described next apply to all Web publishing rules using link translation.

To configure the content for all Web publishing rules that have link translation enabled, follow these instructions:

  1. Open the ISA Server Management console. In the console tree, expand the server name, expand the Configuration node, and click General.

  2. In the details pane, under ISA Server Administration, click Configure Link Translation.

  3. In the Link Translation dialog box, the Content Types tab allows you to specify what type of content should be translated and applied to the Web publishing rules. Select the content types to apply as a global setting across all defined Web publishing rules, and then click OK.

    Note 

    By default, the only content type selected is the HTML Documents check box.

  4. In the details pane, click Apply to save your changes, and then click OK.

To configure the specific translations that will be made, you'll need to create dictionary entries in the Web publishing rule you created. To configure dictionary entries, follow these steps:

  1. Open the ISA Server Management console. Navigate to the ISA Server array, click the Firewall Policy node, select the Web publishing rule you created, and then click the Edit Selected Rule link in the Task pane.

  2. Click the Link Translation tab, then select the Replace Absolute Links In Web Pages check box.

  3. Click Add. The Add/Edit Dictionary Item dialog box opens.

  4. In the Replace This Text text box, type in the link you wish to be translated, such as InternalNetBIOSName.

  5. In the With This Text text box, type the name that will replace the internal reference, such as www.external.com.

  6. Click OK.

  7. In the details pane, click Apply to save your changes, and then click OK.




Microsoft Internet Security and Acceleration ISA Server 2004 Administrator's Pocket Consultant
Microsoft Internet Security and Acceleration (ISA) Server 2004 Administrators Pocket Consultant (Pro-Administrators Pocket Consultant)
ISBN: 0735621888
EAN: 2147483647
Year: 2006
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net