Initial Configuration

Previous page
Table of content
Next page

ISA Server's default settings prohibit all Internet access, so to enable ISA Server, you need to change some settings. (Microsoft did this so that total security is ensured until you consciously allow access to the network.)

ISA Server provides the Getting Started Wizard to walk you through this initial setup. Table 31-3 describes the default settings of a freshly installed ISA server. For more complete control over the various aspects of ISA Server, use the console tree to locate the appropriate element, as described in the section entitled Administering ISA Server later in this chapter. The Getting Started Wizard provides an abbreviated list of options for each task.

Table 31-3. ISA Server postinstallation default settings

Feature Default Setting

User permissions

Members of the Administrators group on the local computer can configure policies on stand-alone servers. Only members of the Domain Admins and Enterprise Admins groups can configure array and enterprise policies.

Enterprise Policy Settings

The default enterprise array policy is used for new arrays. Stand-alone servers don't use enterprise policies.

Access control

All clients are allowed access to all content on all sites, using the default site and content rule named Allow Rule. Setup fails to create this rule sometimes, so you should double-check this setting.

Packet filtering

Enabled, unless in cache-only mode.

Publishing

No internal servers (such as Web servers) are accessible from the Internet.

Protocol rules

No protocols are allowed through the firewall, effectively blocking all Internet access.

Routing

All requests from Web Proxy clients are retrieved directly from the Internet.

Caching

HTTP and FTP requests are cached, but active caching (prefetching content) is disabled.

Alerts

All alerts are enabled except All port scan attack, Dropped packets, Protocol violation, and User Datagram Protocol (UDP) bomb attack.

To open this wizard, launch the ISA Management console by clicking Start, pointing to Programs, then to Microsoft ISA Server, and choosing ISA Management. The following sections cover the various parts of the wizard. Click Next in the Getting Started screen to begin the wizard, shown in Figure 31-9, or click a heading to jump directly to that part of the wizard.

Figure 31-9. The Getting Started Wizard.

If you don't see the Getting Started Wizard or any links on the right side of the ISA Management console, you probably have the Taskpad view turned off. To turn it on, from the View menu, choose Taskpad.

ISA Server can be configured to reduce the likelihood that the Nimda and Code Red viruses will be transmitted into or out of the network. For more information, see http://www.microsoft.com/isaserver/techinfo/prevent/default.asp on the ISA Server Web site.

Configuring Enterprise Policy

If you installed ISA Server as an array member, the Getting Started Wizard displays a number of headings you can use to configure the default policy for arrays in the enterprise.

These headings work identically to those discussed in the following sections; the only difference is that the settings you specify under the Configure Enterprise Policy heading apply to all arrays in the enterprise. The settings you specify under the Configure The Server And Array heading apply only to the server or array you're administering.

Selecting Policy Elements

Click the Select Policy Elements link to display the Select Policy Elements dialog box shown in Figure 31-10. Use this dialog box to choose how to apply policies: by users and groups, by computer names or IP addresses, by schedule, or by destination IP address or domain name.

Figure 31-10. Selecting policy elements to configure.

Configuring Schedules

Click the Configure Schedules link to set up or modify schedules (a type of policy element) that you can use when creating access rules. ISA Server automatically sets up a Work Hours schedule (9-5 Monday through Friday) and a Weekends schedule (all day Saturday and Sunday).

Double-click a schedule to modify it, or click the Create A Schedule link to create a new schedule, as shown in Figure 31-11. Click and drag the outline of a time block, and then select Active or Inactive to specify whether the schedule applies to the selected time period or not. Enter a name and optionally a description for the schedule and then click OK.

Figure 31-11. Creating a new schedule.

Configuring Client Sets

Click Next or Configure Client Sets to create policy elements that define groups of internal network clients to which you can then apply rules. Click the Create Client Set link to open the Client Set dialog box, shown in Figure 31-12.

Create a new client set by clicking Add and entering the starting and ending IP addresses for the group of internal network clients. When you're finished adding IP address sets, enter a name and optionally a description for the group of clients, and then click OK.

Figure 31-12. Creating a client set.

Configuring Protocol Rules

To enable clients access to the external network (which is most likely the Internet), you need to specify which protocols clients can use to access the external network. To do so, click Next or the Configure Protocol Rules link, and then use the following steps to create a protocol rule, a type of policy:

  1. Click the Create A Protocol Rule For Internet Access link to enable internal clients to use the HTTP, HTTPS, FTP, and Gopher protocols, or click the Create A Protocol Rule link to enable other protocols. This opens the New Protocol Rule Wizard.
  2. Enter a name for the new protocol rule in the first screen of the New Protocol Rule Wizard and then click Next.
  3. In the Protocols screen shown in Figure 31-13, choose All IP Traffic in the Apply This Rule To list box to allow clients to use any IP protocol to access the Internet, or choose Selected Protocols or All IP Traffic Except Selected Protocols to limit access by protocol. Select the protocols and then click Next. Clear the Show Only Selected Protocols check box to display all protocols for which ISA Server has protocol definitions.

    Figure 31-13. Selecting protocols to allow clients to use.

    A good way to configure ISA Server is to initially allow all protocols, and then create rules to deny those protocols that you know users don't need. This reduces the need to open ports later for different services such as Microsoft NetMeeting, Windows Media, and instant messaging clients.

  4. To permit the use of these protocols only during certain time periods, select a schedule from the Use This Schedule drop-down list box and then click Next.
  5. In the Client Type screen shown in Figure 31-14, choose whether to apply the protocol rule to all requests, only requests from certain computers (client address sets), or certain user groups. Choose the appropriate option and then click Next.

    Figure 31-14. Specifying to which clients the rule applies.

  6. If you chose to apply the rule to client address sets, click Add in the next screen to select client address sets to which to apply the protocol rule. Click OK and then click Next when you're finished.
  7. If you chose to apply the rule to certain Windows user groups, click Add in the Users And Groups screen and then use the standard Select Users And Groups dialog box to specify the appropriate Windows user groups. Click OK and then click Next when you're finished.

    Applying a protocol rule to certain users or groups excludes non-Windows clients from the protocol rule. If you don't then create a protocol rule that either applies to all requests or to client address sets containing the non-Windows clients on the network, these clients won't be able to access the Internet or external network.

  8. Review the summary of the settings you specified, and then click Finish to create the protocol rule.

Configuring Destination Sets

You can use destination sets to group computers on the Internet together. You can optionally apply rules to these destination sets to control such things as site and content rules, bandwidth rules, Web publishing rules, and routing rules.

To create destination sets, click the Configuring Destination Sets link, and then use the following steps:

  1. Click the Create Destination Set link to open the New Destination Set dialog box, shown in Figure 31-15.

    Figure 31-15. Creating a new destination set.

  2. Enter a name for the destination set, and then click Add to display the Add/Edit Destination dialog box, shown in Figure 31-16.

    Figure 31-16. Adding destinations to a destination set.

  3. To add computers or domains by their DNS name, select the Destination option and enter the host name in the box provided, or click Browse to search Active Directory. To specify all computers in a domain, enter an asterisk, followed by the desired domain name, for example, *.wwowidgets.com.
  4. To specify a range of IP addresses, select the IP Addresses option and enter the beginning and ending IP addresses in the boxes provided.
  5. To specify a particular path, enter the path in the Path box. To include all files in a folder, enter the path followed by an asterisk, for example /Inetpub/wwwroot/*.
  6. Click OK when you're finished, add any additional destinations to the destination set, and then click OK to close the destination set.

Configuring Site and Content Rules

You can use site and content rules to limit which Web sites and content the network clients can access. By default, ISA Server allows access to all content and sites once you've created a protocol rule permitting clients to actually reach the sites.

Our testing indicates that there are some instances when the default Allow Rule isn't created, thereby preventing all Internet access even when the proper protocol rules are in place. Check the enterprise policy and array and stand-alone server configuration if in doubt.

To create additional rules limiting access by destination set, schedule, or client set, use the following procedure:

  1. Click the Configure Site And Content Rules link in the Getting Started Wizard.
  2. Enter a name for the rule in the first screen of the wizard and then click Next.
  3. Choose whether the rule should allow access or deny access to content. If the rule is denying access, optionally select the check box shown in Figure 31-17 to redirect requests to another Web page, such as a page stating your company's Web surfing policy. Click Next to continue.

    Figure 31-17. Creating a site and content rule.

    Be careful not to create conflicting or overlapping rules. In the event of overlapping rules, the more restrictive rule is used.

  4. In the next screen, choose the destinations to which to apply this rule. To use a destination set you created earlier, choose Specified Destination Set or All Destinations Except Selected Set from the drop-down list box, and then choose the appropriate set from the Name drop-down list box that appears, as shown in Figure 31-18. Click Next to continue.

    Figure 31-18. Specifying which destinations to include in the rule.

  5. In the Schedule screen, select a schedule to use for the rule and then click Next.
  6. In the Client Type screen, choose which clients to process in this rule. Choose Any Request to apply the rule to all clients, Specific Computers to apply the rule to a client address set you created earlier, or Specific Users And Groups to apply the rule to particular user groups. Click Next to continue.
  7. Review the summary of the settings you chose, and then click Finish to create the site and content rule.

Securing Your Server

The default security settings for Windows are not appropriate for an ISA server that will be exposed to potential attacks on the Internet. For this reason, Microsoft provides the ISA Server Security Configuration Wizard to walk you through locking down Windows. To use this wizard, follow these steps:

  1. Click the Secure Server link in the Getting Started Wizard.
  2. Click the Secure Your ISA Server Computer link to begin the ISA Server Security Configuration Wizard.
  3. Click Next in the first screen, choose the appropriate security level as shown in Figure 31-19, and then click Next:
    • Dedicated This is the highest security option. This option prevents any functionality other than ISA Server's firewall service (this means no caching as well). To provide caching with your ISA server, don't use this setting.
    • Limited Services This is the medium security option (best for most networks). This option is appropriate for servers that are firewall and caching servers or domain controllers.
    • Secure This is the least secure setting. This option is appropriate for servers that also act as database, Web, or mail servers.

    Figure 31-19. Securing an ISA server.

  4. Review your choice and click Finish to implement the security changes.

Security level changes you make using the ISA Server Security Configuration Wizard are difficult to undo, and they might impact applications that require low security levels to run. This isn't a reason not to lock down your server, but it is a reason to test the functionality of other server applications after running the wizard.

Configuring Firewall Protection

A key security component of ISA Server is its packet filtering capabilities. To modify packet filtering settings, use the following procedure:

  1. Click the Configure Firewall Protection link in the Getting Started Wizard.
  2. Click the Configure Packet Filtering And Intrusion Detection link to open the IP Packet Filters Properties dialog box, shown in Figure 31-20.

    Figure 31-20. Configuring packet routing and packet filtering properties.

  3. To toggle packet filtering on or off (it's on by default), use the Enable Packet Filtering check box. Individual packet filters are configured from the IP Packet Filters folder in the ISA Management Console tree, as discussed later.
  4. Select the Enable Intrusion Detection check box to enable ISA Server to generate an alert when an attempt is made to hack into your network or bring down the server.
  5. Select the Enable IP Routing check box to enable ISA Server to route non TCP-UDP-based packets from the internal network to the external network (most likely the Internet).

    If you don't enable IP routing, internal clients won't be able to use the Ping, Tracert, or Pathping utilities. Additionally, outbound PPTP connections are disabled as well. Note, though, that the Ping tool only functions with SecureNAT clients; Firewall clients need to disable the Firewall client software to use Ping.

  6. Click the Packet Filters tab to enable or disable filtering of fragmented IP packets or packets with IP options, as shown in Figure 31-21. You can also enable the logging of packets that are allowed to pass through the ISA server here.

    Don't enable filtering of fragmented IP packets if you use streaming audio or video across the ISA server.

    Figure 31-21. Configuring packet filtering.

  7. Click the Intrusion Detection tab to enable the logging of frequently used attacks such as the ping of death or port scanning, as shown in Figure 31-22 (the Intrusion Detection check box must be selected in the General tab to enable any of these options).

    Figure 31-22. Enabling intrusion detection.

  8. To enable virtual private networking with the PPTP protocol to work with ISA Server, click the PPTP tab and select the PPTP Through ISA Firewall check box.
  9. Click OK when you're finished configuring the packet filtering options.

Configuring Dial-Up Entries

ISA Server provides the ability to use dial-up connections to provide Internet access to clients.

To set up ISA Server to use a dial-up connection as the primary network connection, use the following steps:

  1. Click the Configure Dial-Up Entries link in the Getting Started Wizard.
  2. Click the Create A Dial-Up Entry link. Click Yes when asked to make the dial-up entry the default.
  3. Enter a name for the dial-up entry, and then click Select to choose the dial-up account to use, as shown in Figure 31-23. Note that you must create the dial-up entry in the Windows 2000 Network And Dial-Up Connections folder before you can use it in ISA Server.

    Figure 31-23. Configuring a dial-up entry.

  4. Click Set Account to enter the user name and password for the dial-up entry. Click OK when finished.

ISA Server automatically establishes a connection as needed, as long as you don't have a default gateway specified on any network card in the ISA server. Also note that ISA Server probably won't hang up a connection once established, so make sure that you want to be connected continuously before using a dial-up link with ISA Server.

Configuring Routing for Firewall and SecureNAT Clients

The Configure Routing For Firewall And SecureNAT Clients link allows you to specify how requests from Firewall and SecureNAT clients are routed: either directly to the Internet using ISA Server, or using an upstream server such as another ISA server or Microsoft Proxy Server 2.0.

To modify these routing settings, use the following steps:

  1. Click the Configure Routing For Firewall And SecureNAT Clients link in the Getting Started Wizard.
  2. Click the Configure Firewall Routing link.
  3. Use the Network Configuration Properties dialog box shown in Figure 31-24 to specify how to route incoming Firewall and SecureNAT client requests:
    • Use Primary Connection This option retrieves content directly from the Internet.
    • Use Dial-Up Entry This check box uses the active dial-up entry to retrieve content from the Internet.
    • Chain To This Computer This option forwards requests to the computer you specify in the box provided (or choose using the Browse button). Optionally specify the appropriate account to use to connect to the upstream server or specify to use a dial-up connection.
  4. Click OK when finished.

    Figure 31-24. Modifying firewall routing properties.

Configuring Routing for Web Browser Applications

Most companies use the default routing rule for Web Proxy clients (any client using a Web browser configured to use the ISA server as the proxy server). This rule automatically routes requests for Web pages to the Internet if the requested page isn't available from ISA Server's cache.

However, you can also set up ISA Server to route Web Proxy client requests to an upstream server, or create multiple rules to route clients differently based on the destination set of the request.

To configure routing for Web proxy clients, use the following steps:

  1. Click the Configure Routing For Web Browser Applications link in the Getting Started Wizard.
  2. Click the Configure A Routing Rule For Web Browser Applications link.
  3. Specify how Web browser clients should be routed, as shown in Figure 31-25, and then click OK.

    Figure 31-25. Configuring routing for Web browser applications.

If clients frequently access your company's own Web site, you can create a routing rule that routes requests for your company's external Web site directly to your company's internal Web site or intranet. To do this, first create a destination set containing the desired Web site or Web sites (destinations). Then click the Routing folder in the ISA Management console tree, choose the New Rule command from the Action menu, and use the wizard to create a new routing rule.

Configuring Cache Policy

Although you configure the size and location of ISA Server's cache during installation, there are some additional configuration steps that you should take to ensure that ISA Server provides optimal performance for your network:

  1. Click the Configure Cache Policy link in the Getting Started Wizard.
  2. Click the Configure Cache Policy link. This displays the General tab of the Cache Configuration Policy dialog box, which lists the total cache size.
  3. Click the HTTP tab to configure how long Web pages are stored in ISA Server's disk cache, as shown in Figure 31-26. Use the options listed next, or clear the Enable HTTP Caching check box to disable the caching of Web pages (not recommended):
    • Frequently (Expire Immediately) Refreshes cached Web pages frequently (but not immediately, as indicated by the label).
    • Normally Provides a balance between frequently updating cached content and conserving bandwidth by infrequently updating content. Use this setting, which appropriately enough, is the default.
    • Less Frequently (Reduced Network Traffic Is More Important) Conserves network bandwidth by updating cached Web pages less frequently. This setting is most appropriate for networks with slow or expensive Internet connections.

    Some Web pages have a Time to Live (TTL) setting, which overrides the settings you make here. This permits dynamic Web pages to work properly without presenting users with stale data.

    Figure 31-26. Configuring caching for Web pages.

  4. Click the FTP tab to specify how long to cache FTP objects. The default setting is 1440 minutes (24 hours), but because FTP objects aren't usually updated very frequently, you can increase this so that large objects such as programs and software patches remain cached longer.
  5. Click the Active Caching tab to enable active caching, which is highly recommended. Choose an option corresponding to how aggressively ISA Server should perform active caching:
    • Frequently Provides the fastest perceived performance for clients, but utilizes the most network bandwidth. If your Internet connection has plenty of unused bandwidth, choose this setting.
    • Normally Balances client performance with network usage. This is a good setting for networks with an Internet connection that is under medium levels of load.
    • Less Frequently Updates the cache less frequently, which provides less performance boost for clients but also uses less network bandwidth. This setting is appropriate for networks that need to conserve precious Internet bandwidth for applications other than Web browsing.

    Active caching permits ISA Server to preemptively go to the Internet and update frequently accessed Web pages. Then when a client requests the Web page, the latest version is already available from the ISA Server cache.

  6. Click the Advanced tab to modify other cache policy settings, as shown in Figure 31-27:
    • Click the Do Not Cache Objects Larger Than check box to set an upper limit on the size of cached objects. In general you should avoid using this setting, unless you need to conserve hard disk space on your ISA servers (better to purchase additional hard disks rather than to do this).
    • In the Maximum Size Of URL Cached In Memory box, enter the maximum object size that ISA Server should cache in RAM (larger objects are cached only on the hard drive to conserve RAM usage).
    • In the If Web Site Of Expired Object Cannot Be Reached section, specify what ISA Server should do if a client requests an object that is expired but can't be refreshed because the Web site is inaccessible.
    • In the Percentage Of Free Memory To Use For Caching box, enter the percentage of available RAM to use as a RAM cache. The RAM cache provides even faster client response than possible with the slower hard disk cache.

    Figure 31-27. Configuring other cache settings.

  7. Click OK when finished.

More Info

To change the size of the ISA Server cache or on which drives it is located, see the section entitled Changing Cache Properties later in this chapter.


Previous page
Table of content
Next page
Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320
Authors: Charlie Russel, Sharon Crawford, Jason Gerend
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Lotus Notes and Domino 6 Development (2nd Edition)
The Complete Cisco VPN Configuration Guide
Cisco Voice Gateways and Gatekeepers
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy