420 likes | 432 Views
This session provides an introduction to ISA Server 2004 and covers topics such as securing access to internal servers, implementing application and web filtering, securing access to Exchange Server, and virtual private networking with ISA Server 2004.
E N D
Securing the Perimeter – Exchange and VPN Access with ISA Server 2004 Jamie Sharp CISSP Security Advisor Amit Pawar National Technology Specialist Microsoft Australia
Session Overview • Introduction to ISA Server 2004 • Securing Access to Internal Servers • Implementing Application and Web Filtering • Securing Access to Exchange Server • Virtual Private Networking with ISA Server 2004
Introduction to ISA Server 2004 • Introduction to ISA Server 2004 • Securing Access to Internal Servers • Implementing Application and Web Filtering • Securing Access to Exchange Server • Virtual Private Networking with ISA Server 2004
Securing the Network Perimeter: What Are the Challenges? Business partner Main office • Challenges Include: • Determining proper firewall design • Access to resources for remote users • Effective monitoring and reporting • Need for enhanced packet inspection • Security standards compliance Internet Wireless Branch office Remote user
Securing the Network Perimeter: What Are the Design Options? Three-legged configuration Bastion host Internal network Internal network Perimeternetwork Web server Back-to-backconfiguration Internal network Perimeternetwork Internet
Configuring ISA Server to Secure the Network Perimeter Use ISA Server to: • Provide firewall functionality • Publish internal resources such as Web or Exchange servers • Implement multilayer packet inspection and filtering • Provide VPN access for remote users and sites • Provide proxy and caching services WebServer LAN WebServer ISAServer VPN Server Internet ExchangeServer Remote User User
ISA Server 2004 Default Configuration The ISA Server default configuration blocks all network traffic between networks connected to ISA Server Only members of the local Administrators group have administrative permissions ü Default networks are created ü Access rules include system policy rules and the default access rule ü No servers are published ü Caching is disabled ü The Firewall Client Installation Share is accessible if installed ü
Access rules always define: • Destination network • Destination IP • Destination site • Allow • Deny • User an actionontrafficfromuserfromsourceto destinationwithconditions • Protocol • IP port/type • Source network • Source IP • Schedule • Content type Configuring Access Rules • Types of access rule elements used to create access rules are: • Protocols • User sets • Content types • Schedules • Network objects
Implementing Network Templates to Configure ISA Server 2004 Bastion host Three-legged configuration Internal network Internal network Perimeternetwork Web server Deploy the3-Leg Perimetertemplate Back-to-backconfiguration Deploy theEdgeFirewalltemplate Internal network Deploy theFront End orBack Endtemplate Perimeternetwork Internet Deploy the Single Network Adapter template for Web proxy and caching only
Demonstration: Applying a Network Template • Use a network template to configure ISA Server 2004 as an edge firewall
Deploying ISA Server 2004: Best Practices To deploy ISA Server to provide Internet access: • Plan for DNS name resolution • Create the required access rule elements and configure the access rules • Plan the access rule order • Implement the appropriate authentication mechanisms • Test access rules before deployment • Deploy the Firewall Client for maximum security and functionality • Use ISA Server logging to troubleshoot Internet connectivity issues
Securing Access to Internal Servers • Introduction to ISA Server 2004 • Securing Access to Internal Servers • Implementing Application and Web Filtering • Securing Access to Exchange Server • Virtual Private Networking with ISA Server 2004
What Is ISA Server Publishing? ISA Server enables three types of publishing rules: • Web publishing rules for publishing Web sites using HTTP • Secure Web publishing rules for publishing Web sites that require SSL for encryption • Server publishing rules for publishing servers that do not use HTTP or HTTPS
Implementing ISA Server Web Publishing Rules To create a Web publishing rule, configure: • Action • Name or IP address • Users • Traffic source • Public name • Web listener • Path mappings • Bridging • Link translation
Implementing ISA Server Secure Web Publishing Rules To create a secure Web publishing rule: • Choose an SSL bridging mode or SSL tunneling • Install a digital certificate on ISA Server, on a Web server, or on both • Configure a Web listener for SSL • Configure a secure Web publishing rule
Demonstration: Configuring a Secure Web Publishing Rule • Configure a secure Web publishing rule to an internal Web server
Implementing Server Publishing Rules To create a server publishing rule, configure: • Action • Traffic • Traffic source • Traffic destination • Networks To enable secure server publishing, configure ISA Server to publish a secure protocol, and then install a server certificate on the published server
Implementing Application and Web Filtering • Introduction to ISA Server 2004 • Securing Access to Internal Servers • Implementing Application and Web Filtering • Securing Access to Exchange Server • Virtual Private Networking with ISA Server 2004
Packet filtering: • Filters packets based on information in the network and transport layer headers • Enables fast packet inspection, but cannot detect higher-level attacks Stateful filtering: • Filters packets based on the TCP session information • Ensures that only packets that are part of a valid session are accepted, but cannot inspect application data Application filtering: • Filters packets based on the application payload in network packets • Can prevent malicious attacks and enforce user policies Firewall Requirements: Multiple-Layer Filtering
HTTP Web filtering can block HTTP packets based on: • Length of request headers and payload • Length of URL • HTTP request method • HTTP request file name extension • HTTP request or response header • Signature or pattern in the response header or body Implementing HTTP Web Filtering in ISA Server 2004 Use HTTP Web filtering to: • Filter traffic from internal clients to other networks • Filter traffic from Internet clients to internal Web servers HTTP Web filtering is rule-specific—you can configure different filters for each access or publishing rule
Demonstration: Application Filtering in ISA Server 2004 • Edit the default application filtering that is performed by ISA Server 2004
Securing Access to Exchange Server • Introduction to ISA Server 2004 • Securing Access to Internal Servers • Implementing Application and Web Filtering • Securing Access to Exchange Server • Virtual Private Networking with ISA Server 2004
Secure Client Access to Exchange Server Challenges Outlook Mobile Access XHTML, cHTML, HTML ActiveSync-Enabled mobile devices Exchange front-end server Wireless network Outlook Web Access Outlook using RPC Outlook using RPC over HTTP Outlook express using IMAP4 or POP3 ISAserver Exchange back-end servers
Configuring RPC over HTTP Client Access RPC over HTTP requires: • Outlook 2003 running on Windows XP • Exchange Server 2003 running on Windows Server 2003 and Windows Server 2003 global catalog servers • Windows Server 2003 server running RPC proxy server • Modifying the Outlook profile to use RPC over HTTP to connect to the Exchange server To enable RPC over HTTP connections through ISA Server, use the Secure Web Publishing Wizard to publish the /rpc/*virtual directory
Configuring ISA Server for Outlook Web Access To configure ISA Server to enable OWA access: Use the Mail Server Publishing Wizard to publishthe OWA server 1 Configure a bridging mode. For best security, secure the connection from client to ISA Server and from ISA Server to OWA server 2 Configure a Web listener for OWA publishing. Choose forms-based authentication for the Web listener 3 Forms-based authentication ensures that user credentials are not stored on the client computer; can be used to block access to attachments
Demonstration: Configuring Outlook Web Access • Configure an OWA publishing rule
Securing Access to Exchange Server: Best Practices Enable Outlook RPC connections for pre–Exchange Server 2003 and Outlook 2003 environments ü Use forms-based authentication on ISA Server for OWA ü Implement RPC over HTTPS with SSL ü Explore the use of additional ISA Server features to protect computers running Exchange Server ü Consider third-party add-ons for ISA Server to protect computers running Exchange Server ü
Virtual Private Networking with ISA Server 2004 • Introduction to ISA Server 2004 • Securing Access to Internal Servers • Implementing Application and Web Filtering • Securing Access to Exchange Server • Virtual Private Networking with ISA Server 2004
Virtual Private Networking: What Are the Challenges? VPNs provide a secure option for communicating across a public network VPNS are used in two primary scenarios: • Network access for remote clients • Network access between sites VPN quarantine control provides an additional level of security by providing the ability to check the configuration of the VPN client machines before allowing them access to the organization’s network
Enabling Virtual Private Networking with ISA Server ISA Server enables VPN access: • By including remote-client VPN access for individual clients and site-to-site VPN access to connect multiple sites • By enabling VPN-specific networks, including: • VPN Clients network • Quarantined VPN Clients network • Remote-site network • By using network and access rules to limit network traffic between the VPN networks and the other networks with servers running ISA Server • By extending RRAS functionality
Enabling VPN Client Connections To enable VPN client connections: • Choose a tunneling protocol • Choose an authentication protocol • Use MS-CHAP v2 or EAP if possible • Enable VPN client access in ISA Server Management • Configure user accounts for remote access • Configure remote-access settings • Configure firewall access rules for the VPN Clients network
Implementing Site-to-Site VPN Connections To enable site-to-site VPN connections: • Choose a tunneling protocol • Configure the remote-site network • Configure network rules and access rules to enable: • open communications between networks, or • controlled communications between networks • Configure the remote-site VPN gateway
VPN clients network Webserver Domaincontroller Quarantine script Quarantine remote access policy Rqc.exe ISAserver DNSserver Fileserver Quarantined VPN Clients Network How Does Network Quarantine Work? VPN Clients Network WebServer DomainController Quarantine script Quarantine remote access policy RQC.exe ISAServer DNSServer FileServer VPN QuarantineClients Network
Implementing Network Quarantine To implement quarantine control on ISA Server: Create a client-side script that validates client configuration 1 Use CMAK to create a CM profile for remote-access clients 2 Create and install a listener component 3 Enable quarantine control on ISA Server 4 Configure network rules and access rules for the Quarantined VPN Clients network 5
Configuring VPN Access Using ISA Server: Best Practices Use strongest possible authentication protocols ü Enforce the use of strong passwords when using PPTP ü Avoid the use of pre-shared keys for L2TP/IPSec ü Configure access rules to control access for VPN clients and site-to-site VPN connections ü Use access rules to provide quarantined VPN clients with the means to meet the security requirements ü
Session Summary ISA Server 2004 is secure by default because it blocks all traffic—configure access rules to provide the fewest possible access rights ü Many applications now use HTTP as a tunneling protocol—use HTTP filtering to block the applications ü Implementing Outlook RPC publishing and RPC over HTTP publishing means that users can use Outlook from anywhere ü Implement ISA Server publishing rules to make internal resources accessible from the Internet ü Use access rules to limit access for VPN remote-access clients, site-to-site VPN clients, and network quarantine clients ü
ISA Server 2004 Resources • ISAServer.org – www.isaserver.org • FREE! TechNet Virtual Lab: ISA Server • http://www.microsoft.com/technet/traincert/virtuallab/isa.mspx • 838709 How to use the ISA Server 2004 migration tool to migrate from ISA Server 2000 to ISA Server 2004 • 840697 ISA Server 2000 settings and features that are not supported when you migrate to ISA Server 2004
For More Information… • The official ISA Server site: • www.microsoft.com/isaserver • A useful site with a wealth of information: • www.isaserver.org
What is TechNet? • Put the right answers at your fingertips • The comprehensive collection of resources to help IT prosplan, deploy and manage Microsoft products successfully TechNet Subscription • Comprehensive set of resources delivered reliably every month on CD or DVD – The trusted resource for guidance, tools and software to efficiently evaluate, deploy and support Microsoft technologies. TechNet Web Site • Accessible at www.microsoft.com/technet • Online resources and community • Subscriber-only Online Services TechNet Flash • Biweekly e-newsletter • Security updates, new resources, and special offers TechNet Events and Webcasts • Briefings on the latest Microsoft products and technologies • Hands-on, “how to” information TechNet Communities • User Groups • Managed Newsgroups
Connect with TechNet Microsoft’s TechNet programs provide IT professionals with high-quality, how-to information and resources to efficiently evaluate, deploy, maintain and support their Microsoft technology. To learn more, subscribe, or attend a free briefing, please visit: • Free Technical Briefings: www.microsoft.com/seminar/events • TechNet Webcasts: www.microsoft.com/webcasts • TechNet Flash Newsletter: www.microsoft.com/technet/flash • TechNet Online: www.microsoft.com/technet • Security Notification Service Sign-Up:www.microsoft.com/technet/security/signup/default.mspx • TechNet Subscription*: www.microsoft.com/technet/subscriptions * Microsoft TechNet Subscription Giveaway Complete the webcast survey to be entered to win a one year TechNet Plus subscription. See the official rules http://www.microsoft.com/seminar/events/officialrules_1.mspx for details.
Questions and Answers • Submit text questions using the “Ask a Question” button • Don’t forget to fill out the survey • For upcoming and recordings of previous webcasts: www.microsoft.com/webcasts • Have webcast content ideas?Send us e-mail at: webcasts@microsoft.com
https://msevents.microsoft.com/CUI/WelcomePage.aspx?EventID=...https://msevents.microsoft.com/CUI/WelcomePage.aspx?EventID=... • [Live Meeting Web Page. Use Live Meeting > Edit Slide Properties... to edit.]