520 likes | 629 Views
Configuring Access to Internal Resources. What is ISA server publishing?. Publish internal servers to the Internet, so that users on the Internet can access those internal resources Making internal resources accessible to the Internet increases the security risks for the organization.
E N D
What is ISA server publishing? • Publish internal servers to the Internet, so that users on the Internet can access those internal resources • Making internal resources accessible to the Internet increases the security risks for the organization. • ISA Server uses Web and server publishing rules to publish internal network resources to the Internet
Client Internet What is ISA server publishing? Web Server File Server Remote User Mail Server
What is ISA server publishing? Web Server Using a perimeter network is to provide an additional layer of Security!!! Mail Server File Server ISA server Internal Network
What Are Web Publishing Rules? • Make Web sites on protected networks availableto users on other networks, such as the Internet • A Web publishing rule is a firewallrule that specifies how ISA Server will route incoming requests to internal Webservers • Web Publishing is sometimes referred to as “reverse proxying”.
What do Web publishing rules provide? • Access to Web servers running HTTP protocol • HTTP application-layer filtering • Path mapping • User authentication • Content caching • Support for publishing multiple Web sites using a single IP address • Link translation
What Are Server Publishing Rules • Web publishing and secure Web publishing rules can grant access only to Web serversusing HTTP or HTTPS. • To grant access to internal resources using any other protocol,you must configure server publishing rules!!!
What do Server publishing rules provide? • Access to multiple protocols • Application-layer filtering for specified protocols • Support for encryption • IP address logging for the client computer
Considerations for Configuring DNS for Web and Server Publishing IP address 172.16.10.1 http://isalab.com Web Server External IP address 131.107.1.1 ISA server A split DNS uses two different DNS servers with the same DNS domain name to provide name resolution for internally and externally accessible resources! Internal Network
Configuring Web Publishing Rules • Web Listener • Non-SSL Web Publishing Rules • SSL Web Publishing Rules
Web Listener • Web listeners are used by Web and secure Web publishing rules • A Web listener is anISA Server configuration object that defines how the ISA Server computer listens forHTTP requests and SSL requests • All incoming Web requests must be received by a Web listener • A Web listener may be used in multiple Web publishing rules
Web Listener IP address 172.16.10.1 http://isalab.com Web Listener Web Server External IP address 131.107.1.1 Web Listener ISA server Internal Network
How to Configure Web Listeners • Network • Port numbers • Client authentication methods • Client Connection Settings
Network If you have multiple network adapters or multiple IP addresses
Port numbers By default, the Web listener will listen on for HTTP requests on Port 80
How to Configure Web Listeners Web listener “listens” on an interface or IP address that you choose for incoming connections to the port you define
Configuring Non-SSL Web Publishing Rules Rule Action Page
Configuring Non-SSL Web Publishing Rules • Publishing Type Page • Publish a single Web site or load balancer • Publish a server farm of load balanced Web Servers • Publish multiple web sites
Configuring Non-SSL Web Publishing Rules • The Server Connection Security Page:
Configuring Non-SSL Web Publishing Rules • The Internal Publishing Details Page: • Internal Site Name • Computer name or IP address
Configuring Non-SSL Web Publishing Rules • The Internal Publishing Details Page: • Path Name • Forward the original host header instead of the actual one
Configuring Non-SSL Web Publishing Rules • The Public Name Details Page • Accept requests for • Public Name • Path (optional
Configuring Non-SSL Web Publishing Rules • The Select Web Listener Page and Creating an HTTP Web Listener: • Edit • New
Configuring Non-SSL Web Publishing Rules • The Authentication Settings Page
Web Listener Authentication Methods • Basic • Digest • Integrated • RADIUS • RADIUS OTP • SecurID • OWA Forms-based • Forms-Based Authentication • SSL Certificate
Configuring Non-SSL Web Publishing Rules • The Single Sign on Settings Page
Configuring Non-SSL Web Publishing Rules • The Authentication Delegation Page
Client Internet Secure Web Publishing More secure!! Encrypted content Web Server Remote User
Cryptography issues • Only sender, intended receiver should “understand” message contents • sender encrypts message • receiver decrypts message Sender Encrypt Decrypt Receiver
Types of Cryptography • Crypto often uses keys: • Algorithm is known to everyone • Only “keys” are secret • Public key cryptography • Involves the use of two keys • Symmetric key cryptography • Involves the use one key • Hash functions • Involves the use of no keys • Nothing secret: How can this be useful?
Secret-Key or Symmetric Cryptography Receiver uses the same key and the related decryption method to decrypt (or decipher) the message. Sender uses the key and the encryption method to encrypt (or encipher) a message Send encrypted message Sender and Receiver agree on an encryption method and a shared key
Public key or Asymmetric Cryptography Sender generates a public key use private key to decrypt this message use sender’s public key to encrypt a message Send public key Send encrypted message sender receiver Use public key to determine a private key. No-one without access to Sender’s private key (or the information used to construct it) can easily decrypt the message!!
Hash Function Algorithms • A hash function is a math equation that create a message digest from message. • A message digest is used to create a unique digital signature from a particular document. • MD5 example Original Message (Document, E-mail) Hash Function Digest
digital signature How can Receiver determine that the message received was indeed sent by Sender? Decrypt message Private key Send encrypted message sender receiver Public key
Data Hash ? Signature Verify Public Key digital signature
Man in Middle receiver sender Modify
Digital certificate • A digital certificate (DC) is a digital file that certifies the identity of an individual or institution, or even a router seeking access to computer- based information. It is issued by a Certification Authority (CA), and serves the same purpose as a driver’s license or a passport
CERTIFICATE Digital certificate Issuer Subject Subject Public Key Issuer Digital Signature
Certification Authorities • A trusted agent who certifies public keys for general use (Corporation or Bank). • User has to decide which CAs can be trusted. • The model for key certification based on friends and friends of friends is called “Web of Trust”. • The public key is passing from friend to friend. • Works well in small or high connected worlds. • What if you receive a public key from someone you don’t know?
CA model Root Certificate CA Certificate CA Certificate Browser Cert. Server Cert.
Public key Private key What is the Process of obtaining a certificate Certificate Verify sender’s identity and issues digital certificate containing the public key OK!! generates a public/private key pair Verify and Decrypt Encrypt CA Sender Receiver
Secure Sockets Layer • Secure Sockets Layer (SSL) is used to validate the identities of two computers involvedin a connection across a public network, and to ensure that the data sent between thetwo computers is encrypted • SSL uses digital certificates and public and privatekeys
Application Application SSL SSL TCP TCP IP IP Secure Sockets Layer
Advantages of SSL • Independent of application layer • Includes support for negotiated encryption techniques. • easy to add new techniques. • Possible to switch encryption algorithms in the middle of a session
HTTPS Usage • HTTPS is HTTP running over SSL. • used for most secure web transactions. • HTTPS server usually runs on port 443. • Include notion of verification of server via a certificate. • Central trusted source of certificates
SSL and ISA server 2006 • SSL bridging SSL tunneling
Configuring SSL-to-SSL Bridging for Secured Websites • Working with Third-Party Certificate Authorities • Installing a Local Certificate Authority and Using Certificates • Modifying a Rule to Allow for End-to-End SSL Bridging
Configuring SSL-to-SSL Bridging for Secured Websites • Installing an SSL Certificate on a SharePoint Server • Exporting and Importing the SharePoint SSL Certificate to the ISA Server
Configuring SSL-to-SSL Bridging for Secured Websites • Creating a SharePoint Publishing Rule