1 / 30

Microsoft ISA Server, an Overview Matthew Cook 14 th January 2004

East Midlands RSC & Bandwidth Management Advisory Service. Microsoft ISA Server, an Overview Matthew Cook 14 th January 2004. Welcome. Matthew Cook Senior IT Security Specialist Loughborough University Computing Services http://escarpment.net/. Introduction.

Download Presentation

Microsoft ISA Server, an Overview Matthew Cook 14 th January 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. East Midlands RSC &Bandwidth Management Advisory Service Microsoft ISA Server, an Overview Matthew Cook14th January 2004

  2. Welcome Matthew Cook Senior IT Security Specialist Loughborough UniversityComputing Services http://escarpment.net/

  3. Introduction Provide an overview of MS ISA Server: • Background • ISA Server Features • Sizing • Patching • Troubleshooting • Useful links and 3rd party products

  4. Important Notices • Fire Alarms • No Smoking Policy • Toilets • Mobile Phones • Rooms: N.3.13 • Evaluation Forms

  5. Background Microsoft Proxy Server I • Released November 1996 • Win SOCK Proxy facilities • Lack of fault tolerance • Lack of security features • Left behind by rivals such as Netscape Proxy Server.

  6. Background… Microsoft Proxy Server II • Fault tolerance issues addresses with the introduction of proxy server arrays • Cache Array Routing Protocol (Similar to Internet Cache Protocol) • Automatic Synchronisation • Caching support improved (FTP and HTTP) • Reverse Proxy and Hosting • MMC Compliant

  7. Microsoft ISA Server • Microsoft Internet Security & Acceleration Server 2000 is an internet firewall and web cache which is capable of integrating into an existing Windows infrastructure. • Further details and resources are available at:http://www.microsoft.com/isaserver/ • ISA Server is a Firewall and a Cache or just a Cache!

  8. Microsoft ISA Server… • Microsoft ISA Server 2000 is a vast improvement over Microsoft Proxy Server 2.0 in terms of manageability and the fine granular controls available to control internet usage. The inclusion of policy based access controls can restrict access to certain web sites by utilising a number of rules: • Time of day • User name • IP address • Content type • Website address

  9. Microsoft ISA Server… • Integrated Virtual Private Networking • Integration with Active Directory • Intrusion Detection • Secure NAT • Bandwidth Allocation and QoS • Secure Server Publishing • Enterprise Management • Monitoring and Report Generation

  10. Microsoft ISA Server… • Email content screening • H.323 Gatekeeper functionality • Enhanced software for media streaming

  11. What is H.323? H.323 is the standard for the transmission of audio, video and associated data across IP based networks. • Interoperability between systems supporting H.323. • Uses a multitude of ports and many UDP streams. • Very complex to firewall without pre-defined rules

  12. Caching Types • Hierarchical caching - allowing one to setup a hierarchy of caches that requests can pass through all with different or the same policy rule sets. • Reverse caching - with ISA Server accelerating the content of local web or FTP server farms, improving the retrieval rate of objects. • Scheduled caching - where ISA Server will pre-download and refresh content.

  13. Basic Installation

  14. Hardware Requirements • Microsoft recommends an Intel Pentium II 300Mhz processor, 20Mb of NTFS disc space and 256Mb RAM. • The test system was an Intel Pentium II 450mhz processor, 2Gb System Disc and for the cache two 4Gb SCSI drives and 256Mb RAM.

  15. Hardware Requirements… • If you are using ISA Server in firewall or integrated mode, two network adapters are required. • The more spindles available the better as disc speed is often the bottle neck. • Baseline server hardware before installing into service.

  16. Software Requirements • Microsoft Windows 2000 (Minimum SP1)Microsoft ISA Server 2000Service Packs and Patches. • A 120 day evaluation copy of Microsoft ISA Server2000 is available for free download from: http://www.microsoft.com/isaserver/evaluation/trial/default.asp

  17. ISA Server Sizing • When installing ISA Server to use as a simple web cache (Forward caching) you need to consider the number of clients accessing the internet at one time. • For up to 500 users, Microsoft recommend a Single PII 300Mhz machine with 256Mb RAM and 2-4Gb of disc storage.

  18. ISA Server Sizing… • For 500 – 1,000 users a Dual PIII 550Mhz machine with 256Mb RAM and 10GB of disc storage is recommended. • For more than 1,000 users, two Dual PIII 550Mhz machines with 256Mb RAM and 10Gb is recommended. Note: If you set up more than one ISA server, you will need to upgrade to ISA Server Enterprise Edition.

  19. Secure the OS • Patch, test, patch and yet more patching! • Install the latest service pack. • Install hot fixes from Windows update or via the links from MSBA. • Microsoft Security Baseline Analyzer is available from:http://www.microsoft.com/security/

  20. Windows 2003 Server ISA Server is supported providing: • ISA Server Service Pack 1 is applied • Isahf255.exe is appliedKnowledge base article 331062 • You are NOT running Web Edition

  21. Patching ISA Server • Patch, test, patch and yet more patching! • ISA Server Service Pack 1 • Other hot fixes: http://www.microsoft.com/isaserver/downloads/ • H.323 Security vulnerability released …

  22. H.323 Vulnerability Released 13th January MS04-001 Critical – Could allow remote code execution. The vulnerability is caused due to errors processing H.323 over TCP (default 1720). The H.323 filter is on by default for integrated or firewall mode.

  23. ISA Server Feature Pack 1 • Released September 2003 (4Mb) Provides: • Enhanced SMTP and Exchange RPC filters • URL Scan 2.5 • RSA SecurID Authentication • Basic Authentication Delegation • OWA and RPC Filter Wizard • Link translator • More documentation

  24. Troubleshooting • Issues on low bandwidth linksBandwidth Rule Wizard KB:302875 • Cache Initialisation ErrorsKB:284550 • ScreensaversBlank screen or Marquee • Background ProcessesSETI@Home and DNetC

  25. GFI Web Monitor • Monitors active connections on ISA Server. • What files are being downloaded or sites being visited. • Installs as an Application filter • Web based access via IIS. • Freeware • http://www.gfisoftware.com/

  26. Akonix Rogue Aware • Monitors IM and P2P traffic passing through your ISA Server. • Supports AOL, Yahoo, MSN, KaZaA, Grokster, Bearshare, Morpheus etc. • Provides reports and security audits. • Freeware • http://www.akonix.com/

  27. Links • http://www.bmas.ja.net/ • http://www.microsoft.com/isaserver/ • http://www.isaserver.org/ • http://www.indepth-tech.com/ISAServer/

  28. The Future Crystal ball time… • Windows 2003 Server • ISA Server 2004 • Patches

  29. ISA Server 2004 • Beta 2 Released late December • Codename Stingray • Many firewall improvements in L7 • Improved VPN Technology • New User Interface • Caching upgrades sketchy at the moment • Beta February 2004

  30. Questions

More Related