1 / 51

Module 2: Installing and Maintaining ISA Server

Learn how to plan and install ISA Server with this comprehensive guide. Understand network infrastructure requirements, configure firewall clients, and maintain server security.

johnapowell
Download Presentation

Module 2: Installing and Maintaining ISA Server

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 2: Installing and Maintaining ISA Server

  2. The ISA Server Deployment Planning Process • Understand the current network infrastructure (Cơ sở hạ tầng) • Review company security policies. • Plan the required network infrastructure (DNS, DHCP, and Certificate Services.) • Plan for branch office installations.(WAN, VPN…) • Plan for availability and fault tolerance. • Plan for access to the Internet.

  3. The ISA Server Deployment Planning Process (tt) 7. Plan the ISA Server client implementation and deployment. 8. Plan for server publishing. 9. Plan for VPN deployment. 10. Plan the implementation.

  4. Network Infrastructure Requirements • DNS • Domain controllers • DHCP

  5. Logging Requirements • MSDE logging: This method is the default logging method for firewall and Webactivity. ISA Server writes log records directly to a Microsoft SQL Server Desktop Engine (MSDE) database to enable online sophisticated queries on logged data. • File logging With this method, ISA Server writes log records to a text file in asequential manner.

  6. Installing ISA Server 2004 • Choosing ISA Server Clients • Installing and Configuring Firewall Clients • Advanced Firewall Client Configuration • Securing ISA Server 2004 • Maintaining ISA Server 2004

  7. Lesson: Installing ISA Server 2004 • System and Hardware Requirements for ISA Server 2004 • Installation Types and Components • Configuration Choices During Installation • How to Perform an Unattended Installation of ISA Server 2004 • How to Verify an Installation of ISA Server 2004 • Default Configuration for ISA Server 2004 • How to Modify the ISA Server Installation • Upgrade Options from ISA Server 2000 to ISA Server 2004

  8. RAM Windows Server 2000 or Windows Server 2003 CPU 256 MB 550 MHz Hard Disk Format Hard Disk Space NTFS 150 MB Internal External System and Hardware Requirements for ISA Server 2004

  9. To run ISA Server Management, you need the following: RAM Windows Server 2000 Windows Server 2003 Windows 2000 Professional Windows XP CPU 256 MB PII 300 MHz Hard Disk Space 19 MB

  10. Installation Types and Components

  11. ISA Server Installation Options • Typical Installation: This type installs Firewall Services and ISA Server Management. • Full Installation This type installs all four ISA Server components: Firewall services,ISA Server Management, Firewall Client Installation Share, and the SMTPMessage Screener. • Custom Installation This type enables you to select which components will beinstalled.

  12. Configuration Choices During Installation

  13. Practice: Installing ISA Server 2004 • Installing ISA Server 2004 Den-ISA-01 Internet Den-DC-01

  14. How to Perform an Unattended Installation of ISA Server 2004 • Why Use an Unattended Installation of ISA Server? • Modifying the Msisaund.ini File • [Setup Property Assignment] • PIDKEY=xxxxxxxxxxxxxxxxxxxxxxxxx • INTERNALNETRANGES=1 192.168.1.0-192.168.1.255 • INSTALLDIR=C:\Program Files\Microsoft ISA Server • COMPANYNAME=Coho Vineyards • DONOTDELLOGS=1 • DONOTDELCACHE=1 • ADDLOCAL=MSFirewall_Management,MSFirewall_Services,Message_Screener,MSDE • Running an Unattended Setup D:\Setup.exe /V” /qn FULLPATHANSWERFILE= \”c:\MSISAUND.INI\””

  15. How to Verify an Installation of ISA Server 2004 • Verify that the ISA Server services are installed and started • Verify that the MSDE services are installed and started • Review the setup log files • Check the Application Log in the Event Viewer • Check for ISA Server Alerts

  16. Only Administrators can modify firewall policies Traffic is routed between the ISA Server and all other networks Traffic between the Internal network, the VPN network, the VPN Quarantine network, and the Internet will use network address translation Traffic is routed between the VPN network and the Internal network System policy permits access to the ISA Server but access rules deny all network traffic through the ISA Server No servers are published Web Proxy requests will be retrieved directly from the Internet Caching is disabled A rule enabling access to the Firewall Client installation share is configured if you install the Firewall Client installation files Default Configuration for ISA Server 2004 • Only Administrators can modify firewall policies • Traffic is routed between the ISA Server and all other networks • Traffic between the Internal network, the VPN network, the VPN Quarantine network, and the Internet will use network address translation • Traffic is routed between the VPN network and the Internal network • System policy permits access to the ISA Server but access rules deny all network traffic through the ISA Server • No servers are published • Web Proxy requests will be retrieved directly from the Internet • Caching is disabled • A rule enabling access to the Firewall Client installation share is configured if you install the Firewall Client installation files

  17. Practice: Verifying the Installation and Default Configuration of ISA Server 2004 • Verifying the successful installation of ISA Server 2004 • Examining the default installation ofISA Server 2004 Den-ISA-01 Internet Den-DC-01

  18. How to Modify the ISA Server Installation Options

  19. Upgrade Options from ISA Server 2000 to ISA Server 2004 In-Place Upgrade Install ISAServer 2004 ISA Server 2000 Migration Import the ISAServer Configuration Extract the ISA Server 2000configuration ISA Server 2000 Install ISA Server 2004

  20. Lesson: Choosing ISA Server Clients • Types of ISA Server Clients • How to Configure a SecureNAT Client • How to Configure Web Proxy Clients • Guidelines for Choosing an ISA Server Client

  21. Types of ISA Server Clients Does not require you todeploy client software Internet SecureNAT Client ISA Server Web Proxy Client Firewall Client Improves the performance of Web requests for internal clients Allows internet access onlyfor authenticated users

  22. How to Configure a SecureNAT Client • SecureNAT clients do not require client installation or client configuration • On a single subnet network, configure the IP address of the internal network interface as the SecureNAT client default gateway • On a multiple subnet network, configure the IP address of the router as the SecureNAT client default gateway

  23. How to Configure Web Proxy Clients

  24. Guidelines for Choosing an ISA Server Client

  25. Practice: Configuring SecureNAT and Web Proxy Clients • Configuring ISA Server to log client connections • Configuring and testing a SecureNAT client • Configuring and testing a Web Proxy client Den-ISA-01 Internet Den-DC-01 Den-Clt-01

  26. Lesson: Installing and Configuring Firewall Clients • How to Configure Firewall Client Settings • The Firewall Client Installation and Configuration Process • Options for Automating the Firewall Client Installation

  27. How to Configure Firewall Client Settings

  28. The Firewall Client Installation and Configuration Process The Firewall Client: • Uses a common Winsock service provider that other Winsock applications use to connect to application servers • Intercepts Winsock client application calls for remote application servers and redirects the request to ISA Server Install the Firewall Client: • From the Firewall Client share on computer running ISA Server or another network share

  29. Practice: Installing the Firewall Client • Configuring the Firewall Client settings on ISA Server • Installing the Firewall Client Den-ISA-01 Internet Den-Clt-01 Den-DC-01

  30. Options for Automating the Firewall Client Installation Software package distributed using Group Policies Unattended installation SMS package distributed to specific clients using SMS

  31. Lesson: Advanced Firewall Client Configuration • Advanced Firewall Client Configuration Options • Firewall Client Configuration Files • What is the Automatic Discovery Feature?

  32. Advanced Firewall Client Configuration Options Locallat.txt: • A client computer-specific file that defines local addresses for that client • The client uses its own routing table, the server-specific settings, and the Locallat.txt file to determine the local IP addresses Advanced Firewall Client settings: • Can configure locally for each user and for each computer • Configure changes to Firewall Client .ini files

  33. Firewall Client Configuration Files Application.ini [FW_Client_App] Disable=0 NameResolution=R LocalBindTcpPorts=7777 LocalBindUdpPorts=7000-7022, 7100-7170 RemoteBindTcpPorts=30 RemoteBindUdpPorts=3000-3050 ServerBindTcpPorts=100-300 ProxyBindIp=80:192.168.10.20, 82:192.168.10.30 KillOldSession=1 Persistent=1 ForceCredentials=1 NameResolutionForLocalHost=L

  34. DNS orDHCP Server Firewall Client Configuration Request Configuration File Den-ISA-01 What Is the Automatic Discovery Feature? Where is Lon-ISA-02? DNS orDHCP Server Query DHCP or DNS for a WPAD entry WPAD: Den-ISA-01 Firewall Client Configuration Request Configuration File Den-ISA-01

  35. Practice: Configuring Automatic Discovery • Configure the ISA Server for Automatic Discovery • Configure DHCP for Automatic Discovery • Configure DNS for Automatic Discovery Den-ISA-01 Internet Den-Clt-01 Den-DC-01 DNS Server DHCP Server

  36. Lesson: Securing ISA Server 2004 • ISA Server and Defense in Depth • About Using Security Templates to Secure the Server • Methods for Implementing Security Updates • Guidelines for Enabling Only Required Services • How to Secure the Network Interfaces • Configuring Administrative Roles • Best Practices for Securing the Server

  37. ISA Server and Defense in Depth • Security at all levels: • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success Policies, Procedures, & Awareness User education Guards, locks, tracking devices Physical Security Data ACLs, encryption, EFS Application hardening, antivirus Application OS hardening, authentication, patch management, HIDS Operating Systems Network segments, IPSec, NIDS Internal Network Firewalls, Network AccessQuarantine Control Perimeter

  38. About Using Security Templates to Secure the Server • Configure one security template and then apply it to multiple computers, or reapply the template occasionally to the same computers to ensure that the security settings are not changed • Apply the security template through Group Policies at a domain or organizational unit level • Use the Security Templates MMC snap-in to apply the security templates to ISA Servers

  39. Methods for Implementing Security Updates • Monitor security updates is to know what security updates are available and the security issues each update is designed to fix • Use tools like Microsoft Baseline Security Analyzer, Windows Update Service, Microsoft Windows Update Services, and Systems Management Server to implement security updates • Implement security updates on ISA Server only after thorough evaluation and testing

  40. Guidelines for Enabling Only Required Services • Enable only required services • Minimize the number of Windows 2000 and Windows Server 2003 built-in services

  41. How to Secure the Network Interfaces • Secure the External Network Interface • Disable File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks • Disable NetBIOS over TCP/IP • Disable LMHOSTS lookup • Disable automatic DNS name registration • Configure the Internal Network Interface • Disable components if not required

  42. Configuring Administrative Roles ISA Server Administrative Roles

  43. Best Practices for Securing the Server Securing ISA Server • Do Not Install ISA Server on a Domain Controller • Avoid Installing an Internet Edge Server on aDomain Member • Rename the Administrator Account • Disable Unused Functionality • Apply Window Server Security Best Practices

  44. Practice: Securing the ISA Server • Configuring Active Directory for Securing ISA Server • Configuring Security on Den-ISA-01 Den-ISA-01 Internet Den-Clt-01 Den-DC-01

  45. Lesson: Maintaining ISA Server 2004 • About Monitoring the Server Running ISA Server • About Exporting and Importing the ISA Server Configuration • About Backing Up and Restoring the ISA Server Configuration • Remote Administration Options for ISA Server

  46. About Monitoring the Server Running ISA Server ISA Server monitoring tasks include

  47. About Exporting and Importing the ISA Server Configuration • Use export and import to clone an ISA Server or to save a configuration for troubleshooting or to rollback a configuration change • You can export the entire ISA Server configuration, or any individual or group of configuration settings • Importing a configuration overwrites all settings from the exported file

  48. About Backing Up and Restoring the ISA Server Configuration • Use back up to create a configuration file that can be used for disaster recovery • Back up creates a file with the entire ISA Server configuration • Restoring a back up overwrites all ISA Server settings

  49. Remote Administration Options for ISA Server • Use remote administration to manage physically secured servers or servers in other offices • Use Remote Desktop or Terminal Services to manage all settings on the server running ISA Server • Use the ISA Server Management MMC to manage ISA Server settings remotely • Configure the server running ISA Server to enable Remote Desktop and configure System Policy to enable remote MMC management

  50. Practice: Maintaining ISA Server 2004 • Preparing the Client Computer for Remote Administration • Preparing ISA Server for Remote Management • Remotely administering ISA Server Den-ISA-01 Internet Den-Clt-01 Den-DC-01

More Related