isa 2004 ii
TRANSCRIPT
-
8/14/2019 Isa 2004 II
1/39
Contents
1.0 Introduction
1.1 Who should read this document
1.2 What is in this document
2.0 Feature Overview
2.1 Multi-networking and firewall policy
2.2 System policy
2.3 VPN integration
2.4 Users and authentication
2.5 Cache
2.6 Configuration export and import
3.0 Installation Process
3.1 Installation requirements
3.2 Network requirements
3.3 Installation procedure
3.4 Default settings
3.5 New ways to do familiar tasks
3.6 ISA Server computers with a single network adapter
4.0 Feature Walk-through
4.1 Scenario 1: Export a configuration
4.2 Scenario 2: Access the Internet from the Internal network
4.3 Scenario 3: Create and configure a restricted computer set
4.4 Scenario 4: Create a perimeter network using the Network Template Wizard
http://g/isastart.htm#S1#S1http://g/isastart.htm#S11#S11http://g/isastart.htm#S12#S12http://g/isastart.htm#S2#S2http://g/isastart.htm#S21#S21http://g/isastart.htm#S22#S22http://g/isastart.htm#S23#S23http://g/isastart.htm#S24#S24http://g/isastart.htm#S25#S25http://g/isastart.htm#S26#S26http://g/isastart.htm#S8#S8http://g/isastart.htm#S31#S31http://g/isastart.htm#S32#S32http://g/isastart.htm#S33#S33http://g/isastart.htm#S34#S34http://g/isastart.htm#S35#S35http://g/isastart.htm#S36#S36http://g/isastart.htm#S9#S9http://g/isastart.htm#Scen1#Scen1http://g/isastart.htm#Scen2#Scen2http://g/isastart.htm#Scen3#Scen3http://g/isastart.htm#Scen4#Scen4http://g/isastart.htm#S1#S1http://g/isastart.htm#S11#S11http://g/isastart.htm#S12#S12http://g/isastart.htm#S2#S2http://g/isastart.htm#S21#S21http://g/isastart.htm#S22#S22http://g/isastart.htm#S23#S23http://g/isastart.htm#S24#S24http://g/isastart.htm#S25#S25http://g/isastart.htm#S26#S26http://g/isastart.htm#S8#S8http://g/isastart.htm#S31#S31http://g/isastart.htm#S32#S32http://g/isastart.htm#S33#S33http://g/isastart.htm#S34#S34http://g/isastart.htm#S35#S35http://g/isastart.htm#S36#S36http://g/isastart.htm#S9#S9http://g/isastart.htm#Scen1#Scen1http://g/isastart.htm#Scen2#Scen2http://g/isastart.htm#Scen3#Scen3http://g/isastart.htm#Scen4#Scen4 -
8/14/2019 Isa 2004 II
2/39
4.5 Scenario 5: Publish a Web server on the perimeter network
4.6 Scenario 6: Publish a Web server on the Internal network
4.7 Scenario 7: Configure virtual private networking
4.8 Scenario 8: Modify system policy
4.9 Scenario 9: Import a configuration
1.0 Introduction
Microsoft Internet Security and Acceleration (ISA) Server 2004 introduces multi-
networking support, easy-to-use and highly integrated virtual private networking
configuration, extended and extensible user and authentication models, and improvedmanagement features, including configuration import and export.
1.1 Who Should Read this Document
Read this document if you:
Use ISA Server 2000 and want to learn about what is new in ISA Server 2004.
Use another firewall and are new to ISA Server.
Need an introduction to ISA Server 2004 features.
Want to set up ISA Server in a laboratory and use a guided walk-through to learn
how to implement ISA Server in your company. For details, see Feature Walk-through.
After you read this guide, for more information about ISA Server features and
functionality, see ISA Server Help.
1.2 What's in this document
This document includes an overview of product features introduced in this release of ISAServer 2004. It also provides installation instructions. Most importantly, this document
includes walk-throughs that you can implement in a laboratory environment to
familiarize yourself with the product features. The best way to understand ISA Serverfeatures is to use them, so we recommend that you set up a laboratory and try the walk-
throughs in this document. For details, see Feature Walk-through.
Much of the information included in this document is also available in online format,
integrated into ISA Server online Help.
Back to Contents
2.0 Feature Overview
http://g/isastart.htm#Scen5#Scen5http://g/isastart.htm#Scen6#Scen6http://g/isastart.htm#Scen7#Scen7http://g/isastart.htm#Scen8#Scen8http://g/isastart.htm#Scen9#Scen9http://g/isastart.htm#S9#S9http://g/isastart.htm#S9#S9http://g/isastart.htm#S9#S9http://g/isastart.htm#contents#contentshttp://g/isastart.htm#Scen5#Scen5http://g/isastart.htm#Scen6#Scen6http://g/isastart.htm#Scen7#Scen7http://g/isastart.htm#Scen8#Scen8http://g/isastart.htm#Scen9#Scen9http://g/isastart.htm#S9#S9http://g/isastart.htm#S9#S9http://g/isastart.htm#S9#S9http://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
3/39
The following table lists new and improved ISA Server 2004 features. More detail is
provided in the sections that follow.
Multi-networking
New or
improvedFeature Description
New
Multiple
network
configuration
You can configure one or more networks, each with distinct
relationships to other networks. Access policies are definedrelative to the networks, and not necessarily relative to a
given Internal network. Whereas in ISA Server 2000, all
traffic was inspected relative to a local address table (LAT)that included only address ranges on the Internal network,
ISA Server 2004 extends the firewall and security features
to apply to traffic between any networks.
NewUnique per-network policies
The new multi-networking features of ISA Server enable
you to protect your network against internal and external
security threats, by limiting communication between clientseven within your own organization. Multi-networkingfunctionality supports sophisticated perimeter network (also
known as a DMZ, demilitarized zone, or screened subnet)
scenarios, so that you can configure how clients in differentnetworks access the perimeter network.
New
Stateful
inspection of all
traffic
You can examine data crossing the firewall in the context of
its protocol and the state of the connection, no matter the
source or destination.
New
NAT and route
network
relationships
You can use ISA Server to define relationships between
networks, depending on the type of access and
communication allowed between the networks. In somecases, you may want more secure, less transparent
communication between the networks. For these scenarios,
you can define a network address translation (NAT)relationship. In other scenarios, you want to simply route
traffic through ISA Server. In these cases, you can define a
route relationship.
NewNetwork
templates
ISA Server includes network templates, which correspond tocommon network topologies. You can use the network
templates to configure the firewall policy for traffic between
networks. When you apply a network template, ISA Server
creates the necessary set of rules to allow traffic, inaccordance with your specified policy.
Virtual private networking
New or
improvedFeature Description
Improved VPN administration ISA Server includes a highly integrated virtual private
network (VPN) mechanism. You can administer VPN
-
8/14/2019 Isa 2004 II
4/39
connections through ISA Server Management as you
would administer physically connected networks and
clients. You have the full functionality of ISA Serveravailable for VPN connections, including monitoring,
logging, and session management.
NewStateful inspection
for VPN
VPN clients are configured as a separate network.Therefore, you can create distinct policies for VPN
clients. The rule engine discriminately checks requests
from VPN clients, statefully inspecting these requestsand dynamically opening connections, based on the
access policy.
New
Interoperabilitywith third-party
VPN solutions
Because of support for industry standard Internet
Protocol security (IPSec), ISA Server 2004 can plug intoenvironments with existing VPN infrastructures from
other vendors, including those employing IPSec tunnel
mode configurations for site-to-site connections.
New Quarantine Control
VPN clients can be quarantined by ISA Server in theQuarantined VPN Clients network, until their
compliance with corporate security requirements is
verified.
Security and firewall
New or
improvedFeature Description
NewExtensive
protocol support
ISA Server 2004 extends ISA Server 2000 functionality, by
allowing you to control access and usage of any protocol,
including IP-level protocols. You can use applications such
as ping and tracert, and create VPN connections using the
Point-to-Point Tunneling Protocol (PPTP). In addition,Internet Protocol security (IPSec) traffic can be enabled
through ISA Server.
Improved Authentication
Users can be authenticated using built-in Microsoft
Windows or Remote Authentication Dial-In User Service
(RADIUS) authentication types, or other namespaces. Rulescan be applied to users or user groups in any namespace.
Third-party vendors can use the software development kit to
extend these built-in authentication types, offering
additional authentication mechanisms.
Improved Publishing
With ISA Server, you can place servers behind the firewall,
either on the corporate network or on a perimeter network,
and securely publish their services.
Cache
New or
improvedFeature Description
Improved Cacherules
With the centralized cache rule mechanism of ISA Server, youcan configure how objects stored in the cache are retrieved and
-
8/14/2019 Isa 2004 II
5/39
served from the cache.
Management
New or
improvedFeature Description
Improved Management
ISA Server includes new management features, making it
easier to secure your networks. New user interface featuresinclude a task pane, a Help tab, an improved getting started
wizard, and a new look for the firewall policy editor.
NewExport and
import
ISA Server introduces the ability to export and import
configuration information. You can use this feature to saveconfiguration parameters to an .xml file and then import the
information from the file to another server, enabling simple
replication of firewall configurations for multiple sitedeployment.
New Dashboard
A single view presents a summarized version of key
monitoring information. If you note a problem, you can open
detailed monitoring views for more information.
New Log viewer
The ISA Server log viewer displays the firewall logs in real
time. You can display logs in an online real time mode, or in a
historic review mode. You can apply filtering on log fields toidentify specific entries.
Improved ReportingYou can generate recurring or one-time-only reports on Web
usage, application usage, network traffic patterns, and security.
Back to Contents
2.1 Multi-networking and firewall policy
Previously, the concept of an Internal network was all computers at your corporation. The
External network was all computers outside your corporation, generally accessible by
means of the Internet. Today's view of the network includes users accessing theircorporate networks using mobile computers, thereby making themselves virtually part of
different networks. Branch offices connect to headquarters, and they want to use
headquarters resources as if they are part of the network. Many corporations make theirservers on the corporate networkand especially their Web serverspublicly available,
but want to do so by separating those servers into a different network. The multi-
networking functionality of ISA Server enables you to secure these more complex
network scenarios. Multi-networking support affects most ISA Server firewall features.
You can use the multi-networking features of ISA Server to protect your network against
internal and external security threats by limiting communication between clients, even
within your own organization. You can define relationships between the various networks
you define in ISA Server, thereby determining how computers on each networkcommunicate with each other by way of ISA Server. You can also group computers into
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
6/39
ISA Server network objects such as computer sets and address ranges, and configure an
access policy specific to each network object.
In a common publishing scenario, you might want to isolate the published servers ontheir own network, such as a perimeter network. The multi-networking functionality of
ISA Server supports such a scenario, so that you can configure how clients on thecorporate network access the perimeter network and how clients on the Internet access
the perimeter network. You can configure the relationships between the various networks,defining different access policies between each network. Configuring a perimeter
network topology is made easier through network templates and network template
wizards in ISA Server.
The following figure illustrates a multi-networking scenario.
In the figure, the ISA Server computer connects between the Internet (External network),
the corporate network (Internal network), and the perimeter network. Three networkadapters are on the ISA Server computer, each connected to one of the networks. Using
ISA Server, you can configure different access policies between any pair of networks.
You can determine if and how computers on each of the networks communicate with eachother. Each network is isolated from the other, and is only made accessible when you
configure rules to allow communication.
To implement the multi-networking scenarios, ISA Server introduces the following
concepts:
Networks. From an ISA Server perspective, a network is a rule element that can
contain one or more ranges of IP addresses and domains. Networks include one or
more computers, always corresponding to a specific network adapter on the ISA
Server computer. You can apply rules to one or more networks.
Network objects. After you create networks, you can group them into sets of
network objects (subnets, address ranges, computer sets, URL sets, or domain
name sets). Rules can be applied to networks or to network objects.
-
8/14/2019 Isa 2004 II
7/39
Network rules. You can configure network rules to define and describe a network
topology. Network rules determine if there is connectivity between two networks,
and what type of connectivity will be allowed. Networks can be connected in oneof the following ways: network address translation (NAT) or route.
2.1.1 Networks and network objects
Networks include one or more computers, typically corresponding to a physical network,defined by ranges of IP addresses. Network objects are any group of computers that you
define, for example, single networks, network sets of two or more networks, or
computers sets for which you want to create distinct access rules. You can apply rules toone or more networks or network objects, or to all addresses except those in the specified
network or network object. Each network adapter on the computer can be mapped to a
single network. You can establish the types of ISA Server clients that are supported on aparticular network: Firewall, Web Proxy, or both.
ISA Server comes preconfigured with the following networks:
External. This network includes all computers (IP addresses) that are not
associated with any other Internal network. The default External network cannotbe deleted.
Internal. Upon installation, this network includes all computers (IP addresses)
associated with the internal network address card on the ISA Server computer.
Local Host. This network represents the ISA Server computer. The Local Host
network cannot be modified or deleted.
Quarantined VPN Clients. This network contains addresses of VPN clients that
have not yet been approved to access the corporate network. Typically, computers
in this network are allowed limited access to the corporate network. VPN Clients. This network contains addresses of VPN clients that are currently
connected. It is dynamically updated as VPN clients connect or disconnect from
the ISA Server computer. The VPN Clients network cannot be deleted.
The Local Host, VPN Clients, and External networks are built-in networks, which cannotbe deleted or created by the user. The Internal network is a predefined network, which is
created upon installation, and it can be modified or deleted.
Network sets can be configured to include specific networks. Alternatively, network sets
can be defined to not include (that is, exclude) specific networks.
These rules can be applied to networks, network sets, or network objects:
Network rules
Access rules
Publishing rules
-
8/14/2019 Isa 2004 II
8/39
For access rules, you specify a destination network and a source network to which the
rule is to be applied. The source network indicates which networks are allowed or denied
access to the specified destination networks. For server publishing rules, you specify asource network, which is allowed access to a specific computer.
2.1.2 Network rules
Network rules define and describe a network topology. Network rules determine if there
is connectivity between two networks, and what type of connectivity is defined.
Networks can be connected in one of the following ways:
Network address translation (NAT). When you specify this type of connection,
ISA Server replaces the IP address of the client on the source network with its
own IP address. NAT network rules might be used when defining a relationship
between your Internal network and the External network.
Route. When you specify this type of connection, client requests from the source
network are directly relayed to the destination network. The source client addressis included in the request. A route network rule might be used when you publish a
server located on the perimeter network.
Route network relationships are bidirectional. If a route relationship is defined from
network A to network B, a route relationship also exists from network B to network A.
Conversely, NAT relationships are unique and unidirectional. If a NAT relationship is
defined from network A to network B, no network relationship can be defined from B toA. You can create a network rule defining both relationships, but the second network rule
in the ordered list of rules will be ignored by ISA Server.
Upon installation, the following default rules are created:
Local Host Access. This rule defines a route relationship between the Local Host
network and all other networks.
VPN Clients to Internal Network. This rule defines a route relationship between
the two VPN client networks (VPN Clients and Quarantined VPN Clients) and the
Internal network.
Internet Access. This rule defines a NAT relationship between the Internal
network and the External network.
Network rules are processed in order, for each network.
Back to Contents
2.2 System policy
When you install ISA Server, a default system policy is created. The system policy
defines access rules between the ISA Server computer and the networks connected to it,
for specific resource access.
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
9/39
Note: All of the system policy categories are enabled by default when you install ISA
Server, with the policy applied specifically to the Internal network. You can modify the
settings of the system policy. We recommend that you disable the categories of thesystem policy that you do not require in your configuration of ISA Server.
The system policy contains the following categories:
Network Services
Authentication Services
Remote Management
Firewall Client
Diagnostic Services
Logging
Remote Monitoring
Various
When you enable or disable a system policy configuration group or an item under aconfiguration group, ISA Server enables or disables the related system policy access
rules.
Back to Contents
2.3 VPN integration
ISA Server helps you set up and secure a virtual private network (VPN). A VPN is a
collection of computers that are connected to the corporate network securely from remote
locations on the Internet. With a VPN, you can send data between two computers across a
shared or public network in a manner that emulates a point-to-point private link.
VPN connections allow users who work at home or other remote sites to obtain a remote
access connection to an organization server, using the infrastructure provided by a publicinternetwork, such as the Internet. From the user's perspective, the VPN is a point-to-
point connection between the computer (the VPN client) and an organization server (the
ISA Server computer). The exact infrastructure of the shared or public network is
irrelevant, because it appears as if the data is sent over a dedicated private link.
VPN connections also allow organizations to have routed connections with other
organizations over a public internetwork, such as the Internet, while maintaining secure
communications (for example, between offices that are geographically separate). A routedVPN connection across the Internet logically operates as a dedicated wide area network(WAN) link.
There are two types of VPN connections:
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
10/39
Remote access VPN connection. A client makes a remote access VPN
connection that connects to a private network. ISA Server provides access to the
entire network to which the VPN server is attached. Site-to-site VPN connection. A VPN server makes a site-to-site VPN connection
that connects two portions of a private network securely. ISA Server provides a
connection to the network to which the ISA Server computer is attached.
By using the ISA Server computer as the VPN server, you benefit by protecting yourcorporate network from malicious VPN connections. Because the VPN server is
integrated into the firewall functionality, VPN users are subject to the ISA Server access
policy defined for the preconfigured VPN Clients network. All VPN clients belong to the
VPN Clients network, and they are allowed access to resources on the Internal network inaccordance with a predefined policy.
Although the VPN users are virtually part of the Internal network address range, they are
not necessarily subject to the Internal network's access policy, as you configured it for
ISA Server. Special rules can be configured to allow users access to network resources.
Because an access policy can be configured for the VPN Clients network, VPN clients
are subject to the same stateful inspection mechanisms as any client communicating
between networks through ISA Server.
All VPN connections to the ISA Server computer are logged to the Firewall log. Thisenables you to audit VPN connections.
When you configure the VPN, you can set aside a pool of static IP addresses for the VPN
users' computers. When a VPN client connects to the local network, it is assigned an IP
address from this address pool. Alternatively, you can choose to have IP addressesassigned to VPN clients dynamically, by a Dynamic Host Configuration
Protocol (DHCP) server. The IP address is added to the VPN Clients network.
Additionally, you can enable quarantine mode for VPN. By enabling quarantine mode,you ensure that a client is checked for compliance with corporate software policy before
it is allowed to join the VPN Clients network, typically with unlimited access to the
Internal network. Quarantine Control provides phased network access for remote (VPN)
clients by restricting them to a quarantine mode before actually allowing them access tothe network. After the client computer configuration is either brought into or determined
to be in compliance with your organization's specific quarantine restrictions, standard
VPN policy is applied to the connection in accordance with the type of quarantine youspecify. Quarantine restrictions might specify, for example, that specific antivirus
software is installed and enabled while connected to your network. Although Quarantine
Control does not protect against attackers, computer configurations for authorized userscan be verified and, if necessary, corrected before they can access the network. A timer
setting is also available, which you can use to specify an interval at which the connection
is dropped if the client fails to meet configuration requirements. For more information,
see the document VPN Roaming Clients in ISA Server 2004.
http://go.microsoft.com/fwlink/?LinkId=20612http://go.microsoft.com/fwlink/?LinkId=20612 -
8/14/2019 Isa 2004 II
11/39
You can create two different policies for each of the VPN client networks:
Quarantined VPN Clients network. You restrict access to the servers from
which the client can download necessary updates to achieve compliance with yoursoftware policy.
VPN Clients network. You can allow access to all corporate (Internal network)resources, or restrict access as appropriate. The VPN Clients network will have a
NAT relationship with the External network. A network rule defining a NATrelationship between the VPN network and the External network will be
configured.
Back to Contents
2.4 Users and authentication
With the new ISA Server functionality, you can apply access policy to Windows users or
to users authenticated by different authentication mechanisms (namespaces), such asRemote Authentication Dial-In User Service (RADIUS). ISA Server supports the
following authentication mechanisms:
Web Proxy clients. Basic authentication (using Active Directory directory
service or RADIUS), Digest authentication, Integrated Windows authentication,
or certificates.
VPN clients. Challenge Handshake Authentication Protocol (CHAP), Microsoft
Challenge Handshake Authentication Protocol (MS-CHAP), MS-CHAP version 2,
Extensible Authentication Protocol (EAP), and RADIUS.
Firewall clients. Kerberos or NTLM.
ISA Server features an authentication extensibility mechanism that allows third-partyvendors to implement additional authentication schemes.
You can use ISA Server to apply access policy or publishing policy to specific users or IP
addresses. Users can be grouped into user sets, and rules can be applied to user sets.
When you create a user set, you can add Windows, RADIUS, and SecurID users to theset. You can then apply access rules to that set.
Back to Contents
2.5 Cache
With cache rules, you can specify the types of content stored in the cache, and howobjects are served from the cache. Depending on your organization's needs, cache rules
can be applied to content from all sites or to specified sites, and to all content or limited
to specified content types. In addition, you can limit the amount of time that objects areconsidered valid, and the way cache rules handle expired objects.
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
12/39
By default, an object is stored in the cache only if its source and request headers indicate
to do so. However, you can specify which objects are stored based on the following
options:
Never, no content will ever be cached. This option disables caching for this rule.
If source and request headers indicate to cache. An object is stored in cache ifindicated by the headers.
If you select the second option, you can also choose to cache the following:
Dynamic content. If content is dynamic, objects will be cached, regardless of the
response headers.
Content for offline browsing. This includes 302 and 307 responses.
Content requiring user authentication for retrieval. Authentication from the
user is required.
With cache rules configuration, you can define whether caching will be enabled forHypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Secure Sockets
Layer (SSL) responses. In addition, you can configure the cache rule to limit cached
content according to file size.
Cached HTTP and FTP objects expire according to Time to Live (TTL) settings. For
HTTP objects, expiration is configured based on TTL, defined in the response header,
and the TTL boundaries defined in the cache rule. TTL boundaries are calculated as a
percentage of content age, which is the amount of time since an object was created ormodified. FTP objects expire according to the TTL defined for FTP objects in the cache
rule.
As part of the cache rules configuration, you can define how objects stored in the cache
are retrieved and served from the cache. Before ISA Server determines how the requestwill be routed, as defined in the network routing rules, ISA Server checks whether a valid
copy of the object exists in the cache. An object is considered valid if its TTL period did
not expire, as specified in the HTTP caching properties or on the object itself. Dependingon how you configure the routing rule's cache properties, ISA Server will retrieve the
object from the cache. You can configure ISA Server to do one of the following:
Retrieve an object from the cache, only if the object is still valid. If an object is
not valid, the request is routed to the server and retrieved.
Retrieve an object from the cache, regardless of whether the object is still valid ornot. If there is no version of the object in the cache, the request is routed to the
server.
Never route the request. If no version of the object is found in the cache, an error
page is returned.
Cache rules are ordered, with the default cache rule processed last. For each new
connection, the ISA Server computer processes the cache rules in order (that is, the first
-
8/14/2019 Isa 2004 II
13/39
rule is processed first). If the request matches the conditions specified by the rule, the
request is routed, redirected, and cached accordingly. Otherwise, the next rule is
processed. This continues until the last, default rule is processed, and applied to therequest.
When you install ISA Server, it configures a default cache rule. The default rule isinitially configured so that only valid, requested objects will be retrieved from the ISA
Server cache. If the object in the cache is not valid, it will be retrieved directly from theInternet. You cannot modify how the default cache rule retrieves objects.
Back to Contents
2.6 Configuration export and import
ISA Server includes an export and import feature that you can use to save the serverconfiguration parameters to an .xml file, and then import the information from the file to
another server. You can save your configuration to any directory and file name for whichyou have write permissions.
When a configuration is exported, all general configuration information is exported bydefault. This includes access policy rules, publishing rules, rule elements, alert
configuration, cache configuration, and ISA Server properties. Some server specific
configuration information can be exported, if you select to do so. In addition, you canselect to export user permission settings and confidential information, such as user
passwords. Confidential information included in the exported file is encrypted. When
importing the file, a password is required to open and decrypt this information. Thispassword is set during the export process.
When you export a specific object, the following is exported:
The specified object, including all property values.
All descendant objects that are contained within the hierarchy, starting at the
specified object.
For example, if you export an access rule, the network objects and user sets used in thecreation of that rule are also exported, and will be imported when you later import the
rule.
Back to Contents
3.0 Installation Process
Before installing this software, refer to the release notes provided with the CD.
Before you install ISA Server, you must set up the hardware and configure the software
of the computer that will run ISA Server.
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
14/39
3.1 Installation requirements
To use ISA Server, you need:
A personal computer with a 550 megahertz (MHz) or higher Pentium II-
compatible CPU. Microsoft Windows Server 2003 or Windows 2000 Server operating system.
Note: If you install ISA Server on a computer running Windows 2000 Server,
note the following additional requirements: Windows 2000 Service Pack 4 or latermust be installed. Internet Explorer 6 or later must be installed. If you are using
the Windows 2000 SP4 slipstream, you must also install the hotfix specified in
article 821887, "Events for Authorization Roles Are Not Logged in the Security
Log When You Configure Auditing for Windows 2000 Authorization ManagerRuntime," in the Microsoft Knowledge Base. For more up-to-date information
about setup and system requirements for ISA Server 2004, seeISA Server Setup
and System Requirements.
256 megabytes (MB) of memory.
150 MB of available hard disk space. This is exclusive of hard disk space you
want to use for caching.
One network adapter that is compatible with the computer's operating system, for
communication with the Internal network.
An additional network adapter for each network connected to the ISA Server
computer.
One local hard disk partition that is formatted with the NTFS file system.
Note You can use ISA Server on a computer that has only one network adapter.Typically, you will do so when another firewall is located on the edge of the
network, connecting your corporate resources to the Internet. In this single
adapter scenario, ISA Server typically functions to provide an additional layer of
application filtering protection to published servers, or to cache content from theInternet. For more information, see ISA Server computers with a single network
adapter.
Warning: Do not install ISA Server on a multi-processor computer with morethan four processors.
Back to Contents
3.2 Network requirements
ISA Server requires both a Domain Name System (DNS) server and Dynamic Host
Configuration Protocol (DHCP) server. We recommend that you have both a DHCP andDNS server installed on a computer running Windows Server 2003 or Windows 2000
http://go.microsoft.com/fwlink/?LinkId=22792http://go.microsoft.com/fwlink/?LinkId=20538http://go.microsoft.com/fwlink/?LinkId=20538http://go.microsoft.com/fwlink/?LinkId=20538http://go.microsoft.com/fwlink/?LinkId=20538http://g/isastart.htm#S36#S36http://g/isastart.htm#S36#S36http://g/isastart.htm#contents#contentshttp://go.microsoft.com/fwlink/?LinkId=22792http://go.microsoft.com/fwlink/?LinkId=20538http://go.microsoft.com/fwlink/?LinkId=20538http://g/isastart.htm#S36#S36http://g/isastart.htm#S36#S36http://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
15/39
Server in your Internal network. If necessary, you can host the DNS and DHCP servers
on the ISA Server computer.
3.2.1 DNS server
DNS is the name resolution protocol for TCP/IP networks, such as the Internet. A DNSserver hosts the information that enables client computers to resolve memorable,alphanumeric DNS names to the IP addresses that computers use to communicate with
each other.
3.2.2 DHCP server
DHCP servers centrally manage IP addresses and related information and provide it to
clients automatically. This allows you to configure client network settings at a server,
instead of configuring them on each client computer.
3.2.3 Configuring the DNS and DHCP servers
To open the Configure Your Server Wizard, clickStart, point to All Programs, point to
Administrative Tools, and then clickConfigure Your Server Wizard. You will have to
run the wizard twice: once to configure the DNS server, and once to configure the DHCP
server.
When you configure your server to include a DNS server, when the Configure YourServer Wizard completes, the Configure a DNS Server Wizard appears. Review the DNS
checklists by clicking DNS Checklists, and then follow the wizard instructions to
configure the DNS server.
When you configure your server to include a DHCP server, the Configure Your ServerWizard launches the New Scope Wizard. Follow the instructions of the New Scope
Wizard to define the scope for the DHCP server.
Back to Contents
3.3 Installation procedure
To install ISA Server software, follow these steps:
1. Insert the ISA Server CD into the CD drive, or run ISAautorun.exe from theshared network drive.
2. In Microsoft ISA Server Setup, clickInstall ISA Server.3. After the setup program prompts that it has completed determining the system
configuration, on the Welcome page, clickNext.
4. If you accept the terms and conditions stated in the user license agreement, clickI
accept the terms in the license agreement, and then clickNext.
5. Type your customer details, and then clickNext.
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
16/39
6. Click Typical Installation, Full Installation, orCustom Installation.
There are four components that can be installed:
o ISA Server Services. The services that comprise ISA Server.
o ISA Server Management. The ISA Server Management user interface.o Firewall Client Installation Share. A location from which client
computers can install the Firewall Client software. This is typically
installed on a computer other than the ISA Server computer, so it is notpart of the Typical Installation option. The Firewall Client Share can be
installed on computers running Windows Server 2003, Windows 2000
Server, or Windows XP.o Message Screener. A component that you configure to screen e-mail
messages for keywords and attachments. This component must be
installed on a Simple Mail Transfer Protocol (SMTP) server, which istypically not your ISA Server computer.
Typical Installation installs ISA Server Services and ISA Server Management.
Full Installation installs all four components. Custom Installation enables you
to select which components you will install.
7. Click Next.8. Configure the Internal network. Follow these steps:
a.ClickAdd.
b.ClickSelect Network Adapter.
c.Select Add address ranges based on the Windows Routing Table.
d.Select one or more of the adapters that are connected to the Internalnetwork. These addresses will be included in the Internal network that isdefined by default for ISA Server.
e.Clear the selection ofAdd the following private IP ranges, unless you
want to add those ranges to your Internal network.
f.ClickOK. Read the Setup Message, clickOK, clickOKagain to finish the
Internal network configuration, and then clickNext.
2. On the Firewall Client Connection Settings page, select whether you want toallow nonencrypted connections between Firewall clients and the ISA Server
computer. The ISA Server 2004 Firewall Client software uses encryption, but
older versions do not. Also, some versions of Windows do not support encryption.
You can select the following:
o Allow non-encrypted Firewall client connections. To allow Firewall
clients running on versions of Windows that do not support encryption to
connect to the ISA Server computer.
o Allow Firewall clients running earlier versions of the Firewall client
software to connect to ISA Server. This option is available only if the
first option is selected.
-
8/14/2019 Isa 2004 II
17/39
9. On the Services page, review the list of services that will be stopped or
disabled during installation of ISA Server. To continue the installation,
clickNext.10. ClickInstall.
11. After the installation is complete, if you want to invoke ISA Server
Management immediately, select the Invoke ISA Management checkbox, and then clickFinish.
Back to Contents
3.4 Default settings
After installation, ISA Server uses the default settings that are listed in the followingtable.
Feature Default setting
Userpermissions
Members of the Administrators group on the local computer can configurefirewall policy.
Networksettings
The following network rules are created:
Local Host Access. Defines a routed network relationship between
the Local Host network and All Networks. This defines a network
relationship to other networks, needed by services running on the
ISA Server computer. Internet Access. Defines a NAT network relationship from the
Internal network, the Quarantined VPN Clients network, and the
VPN Clients network, to the External network. Access will be
allowed only if you configure the appropriate access policy.
VPN Clients to Internal Network. Defines a routed network
relationship between the VPN Clients network and the Internal
network. Access will be allowed only if you enable VPN clientaccess.
Access rules
The following default rules are created:
Default rule. This rule denies all traffic between all networks.
System policy rules. A series of rules that allow the ISA Server
computer to interact with other network resources.
Publishing No internal servers are accessible to external clients.
Web
chainingDefault Rule. This rule specifies that all Web Proxy client requests are
retrieved directly from the Internet.
Caching The cache size is set to 0. All caching is therefore disabled.
Back to Contents
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
18/39
3.5 New ways to do familiar tasks
The following table lists common tasks you can perform using ISA Server 2004 and
compares these tasks to how they were performed using ISA Server 2000.
If you want to In ISA Server 2000 In ISA Server 2004
Publish co-locatedservers.
Create a static packet
filter allowing access tothe specific server
located on the ISA
Server computer.
Create a server publishing rule.
Enable an
application on the
ISA Server
computer to access
the Internet.
Create a static packet
filter allowing access to
the specific port on theISA Server computer.
Verify that the default network rule, whichis created upon installation, accurately
defines a relationship between the Local
Host network and the External network.Then, create an access rule that allows
access to the specific protocol.
Configure the local
address table (LAT).
ClickLocal Address
Table on any service's
properties.
The Internal network replaces the localaddress table, and is configured as part of
the setup process. You can subsequently
reconfigure the Internal network.
Configure IP-based
protocol support.
IP-based protocols were
supported in a limited
fashion.
Create a protocol definition, specifying anyof the following protocols: TCP, UDP,
ICMP, or IP-level. If you select IP-level,
you can specify any low-level protocol.
Configure virtual
private networking.
Use the VPN wizards to
configure client-to-
router or router-to-routerVPN.
Configure and enable VPN properties and
monitor VPN connections.
Configure outgoing
Web requestproperties.
On the array properties,
click the Outgoing Web
requests tab andconfigure listener
properties.
Each network has its own listener, the
network adapter that is responsible for
listening for requests bound for thatnetwork.
Configure incomingWeb request
properties.
On the array properties,
click the Incoming Web
requests tab and
configure listener
properties.
Web listeners are used as part of each Webpublishing rule. When you configure a Web
publishing rule, you specify which Web
listener to use for that rule.
Back to Contents
3.6 ISA Server computers with a single network adapter
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
19/39
You can install ISA Server on computers with a single network adapter. Typically, you
will do so when another firewall is located on the edge of the network, connecting your
corporate resources to the Internet. In this single adapter scenario, ISA Server is typicallyused to cache content from the Internet for use by clients on the corporate network.
3.6.1 Internal network
One of the fundamental features of ISA Server is its ability to connect multiple networks.
When ISA Server is installed on a single adapter computer, however, it recognizes only
one network-the Internal network. The Internal network comprises all IP addresses, withthe following exceptions: 0.0.0.0, 255.255.255.255, and the address range 127.0.0.0-
127.255.255.255.
3.6.2 Installing ISA Server on a single adapter computer
As part of the setup process, you specify the addresses in the Internal network. When you
install ISA Server on a computer with one network adapter, be sure to include alladdresses except 0.0.0.0, 255.255.255.255, and the address range 127.0.0.0-127.255.255.255.
You can use the Single Network Adapter network template to configure your single
adapter ISA Server computer. To use the template, in ISA Server Management, expand
the Configuration node, and select Networks. In the task pane, on the Templates tab,select Single Network Adapter to start the Network Template Wizard. Follow the wizard
steps to complete the configuration. We recommend that you use the default settings
provided by the Network Template Wizard.
3.6.3 Caching
You can deploy ISA Server on a single adapter computer as a forward proxy and cachingserver, which provides clients with optimized access to the Internet. In this scenario, you
can configure ISA Server to maintain a centralized cache of frequently requested Internet
objects that can be accessed by any Web browser client, and use cache rules to manage
the cache. In this scenario, you will modify the default firewall policy to allow internalclients access to the Internet. Although all IP addresses are considered to be on the same
Internal network, ISA server will deny Web traffic due to the default Deny All rule. You
therefore need to create a rule that allows Web traffic to pass between the networks. Toenable this caching scenario, you must create an access rule that allows all clients to use
HTTP (and HTTPS and FTP, as appropriate). Because the Internal network is uniquelydefined to include all addresses, the source and destination networks for this rule shouldbe internal.
3.6.4 Single adapter mode functionality
When you install ISA Server on a computer with a single adapter, the following ISAServer features cannot be used:
-
8/14/2019 Isa 2004 II
20/39
Firewall clients
Virtual private networking
IP packet filtering
Multi-network firewall policy
Server publishing
Application level filtering
This results in a limited security role for ISA Server in your network.
Back to Contents
4.0 Feature Walk-through
ISA Server supports a highly flexible, multi-networking environment, enabling you to
securely connect numerous networks with varying access permissions. Some sample
scenarios illustrating the multi-networking environment and functionality are described in
the following sections. Note that the scenarios do not illustrate the complete scope of newfeatures included in this release. Rather, they demonstrate some of the more common
firewall scenarios that you can deploy using ISA Server. By performing the walk-through
steps in a simple laboratory environment, you can become familiar and comfortable withsome of the ISA Server 2004 features and with the user interface.
We recommend that you always create your ISA Server configuration in a laboratory
environment before you try it in production.
The scenarios assume a lab configuration connecting an Internal network to the Internet.Various servers are published on a perimeter network (also known as a DMZ,
demilitarized zone, or screened subnet). Virtual private network (VPN) clients can accessresources on the Internal network. We recommend that you set up three isolated networksin a laboratory environment before deploying a solution in a production environment. The
laboratory used in this feature walk-through consists of:
A network simulating your corporate network, called CorpNet. In the walk-
through, CorpNet spans this address range: 10.0.0.0 through 10.255.255.255.
A network simulating the Internet, called MockInternet. In the walk-through,
MockInternet spans this address range: 192.168.0.0 through 192.168.255.255.
A perimeter network, called PerimeterNet. In the walk-through, PerimeterNet
spans this address range: 172.16.0.0 through 172.31.255.255.
The following figure illustrates the scenario environment.
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
21/39
The figure illustrates the following computers:
Two client computers, referred to as InternalClient1 and InternalClient2, with
Windows XP installed. These computers are on the CorpNet domain.
A server, referred to as InternalWebServer, with Windows Server 2003 and
Internet Information Services (IIS) installed. This computer is on the CorpNet
domain.
A domain controller is assumed to be located on the CorpNet. The domain
controller is used for client authentication.
A computer, referred to as Perimeter_IIS, with Windows Server 2003 installed.
IIS is also installed on this computer. The computer is on the PerimeterNet
domain.
A computer, referred to as External1, with Windows Server 2003 and IISinstalled. This computer is on MockInternet.
A Web server, referred to as ExternalWebServer. This computer is on
MockInternet.
A computer, referred to as ISA_1, with Windows Server 2003 and ISA
Server 2004 installed. It has three network adapters installed:
o The IP address of the adapter connected to CorpNet is 10.0.0.1.
o The IP address of the adapter connected to PerimeterNet is 172.16.0.1.
o The IP address of the adapter connected to MockInternet is 192.168.0.1.
Note: There are no DNS servers described in the configuration. The scenario assumes
that a DNS server is installed on the domain controller on CorpNet. The scenario alsoassumes that there is name resolution within each network, but not between the networks.
The configuration would be similar in a production environment. The differences would
be in the use of the default ISA Server defined External network (representing the
Internet) rather than MockInternet, and the use of your real IP address ranges for yourinternal and perimeter networks.
-
8/14/2019 Isa 2004 II
22/39
Different computers are required to test the various scenarios. The following table lists
which computers are required for each scenario.
Scenario Computers required
4.1 Export a configuration ISA_1
4.2 Access the Internet from the Internal network ISA_1, InternalClient1,ExternalWebServer
4.3 Create and configure a restricted computer set ISA_1, InternalClient2, External1
4.4 Create a perimeter network using the Network
Template WizardISA_1
4.5 Publish a Web server on the perimeter network ISA_1, External1, Perimeter_IIS
4.6 Publish a Web server on the Internal networkISA_1, InternalWebServer,External1
4.7 Configure virtual private networking ISA_1, External1, InternalClient1
4.8 Modify system policy ISA_1
4.9 Import a configuration ISA_1
Before you begin configuring the following scenarios, verify that the routing tables on thecomputers are properly configured. On each network, the default gateway must be set to
the IP address of the ISA Server computer's adapter for that network. For example, to set
the default gateway for Perimeter_IIS, type the following at a command prompt on thePerimeter_IIS computer:
route add 0.0.0.0 MASK 0.0.0.0 172.16.0.1
Back to Contents
4.1 Scenario 1: Export a configuration
This scenario illustrates the export feature of ISA Server. You can save all or parts of an
ISA Server computer's configuration to an .xml file. This enables you to duplicate all orpart of a configuration from one ISA Server computer to another, or to preserve a
configuration before you make substantial changes, so that you can revert to an earlier
configuration.
In this scenario, you will export the configuration of the ISA Server computer to an .xml
file before you make any of the changes associated with the scenarios that follow. To
export the configuration, perform the following steps:
1. Open Microsoft ISA Server Management and clickISA_1.2. In the task pane, on the Tasks tab, clickExport ISA Server Configuration to a
File. This will export the configuration of ISA_1, exactly as it is at the time of
export.
http://g/isastart.htm#Scen1#Scen1http://g/isastart.htm#Scen2#Scen2http://g/isastart.htm#Scen3#Scen3http://g/isastart.htm#Scen4#Scen4http://g/isastart.htm#Scen4#Scen4http://g/isastart.htm#Scen5#Scen5http://g/isastart.htm#Scen6#Scen6http://g/isastart.htm#Scen7#Scen7http://g/isastart.htm#Scen8#Scen8http://g/isastart.htm#Scen9#Scen9http://g/isastart.htm#contents#contentshttp://g/isastart.htm#Scen1#Scen1http://g/isastart.htm#Scen2#Scen2http://g/isastart.htm#Scen3#Scen3http://g/isastart.htm#Scen4#Scen4http://g/isastart.htm#Scen4#Scen4http://g/isastart.htm#Scen5#Scen5http://g/isastart.htm#Scen6#Scen6http://g/isastart.htm#Scen7#Scen7http://g/isastart.htm#Scen8#Scen8http://g/isastart.htm#Scen9#Scen9http://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
23/39
3. In Export Configuration, in Save in, select the location where you want to save
the export file. In File name, type the file name of the .xml file to which you want
to export the configuration, such as MyDefaultConfig.xml, and clickExport.
Notes You can choose to export user permission settings, by selecting Export
user permission settings. User permission settings contain the security roles ofISA Server users, for example, indicating who has administrative rights.
If you want to export confidential information, select Export confidential
information. If you do, confidential information will be encrypted during export.
If you export confidential information, you will be prompted to provide a
password during the export process. You will need this password when you import
the firewall policy configuration.
4. When the export operation has completed, clickOKto close the status dialog
box.
Back to Contents
4.2 Scenario 2: Access the Internet from the Internalnetwork
In this scenario, internal clients require secured connectivity to the Internet. The
following computers are required:
ISA_1, with at least two network adapters
InternalClient1, on CorpNet, to test the scenario
ExternalWebServer, on MockInternet, to test the scenario
The goal is to access ExternalWebServer from InternalClient1 through ISA_1.
The routing table on InternalClient1 routes all requests for external addresses to the
internal IP address of the ISA Server computer (the IP address of the network adapter
card that is connected to the Internal network). The ISA Server computer is serving as thedefault gateway for all Internal network requests for external IP addresses.
The following sections describe how to configure the solution:
4.2.1 Configure the Internal network 4.2.2 Create network rules
4.2.3 Create policy rules
4.2.4 Test the scenario
4.2.1 Configure the Internal network
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#CnfNet#CnfNethttp://g/isastart.htm#CnfNetRule#CnfNetRulehttp://g/isastart.htm#Policy#Policyhttp://g/isastart.htm#Test#Testhttp://g/isastart.htm#contents#contentshttp://g/isastart.htm#CnfNet#CnfNethttp://g/isastart.htm#CnfNetRule#CnfNetRulehttp://g/isastart.htm#Policy#Policyhttp://g/isastart.htm#Test#Test -
8/14/2019 Isa 2004 II
24/39
As part of the setup process, you specified the address range in your Internal network,
thereby configuring the Internal network. Verify that the configuration is valid, and that
the Internal network contains only addresses on Corpnet. On ISA_1, perform thefollowing steps:
1. Open Microsoft ISA Server Management, expand ISA_1, expand theConfiguration node, and clickNetworks.
2. In the details pane, on the Networks tab, the address ranges included in eachnetwork are shown.
3. Verify that only IP addresses of computers on your corporate network are
included in the Internal network.
Note: If necessary, you can reconfigure the Internal network by double-clicking
Internal on the Networks tab to open the Internal Properties dialog box. Select
the Addresses tab, and use the Add and Remove buttons to add or remove
address ranges from the network. You can also use the Add Adapter button to
add all of the IP ranges associated with a particular network adapter, or the AddPrivate button to add private address ranges.
4. Double-clickInternal in the Networks tab to open the Internal Properties
dialog box. On the Web Proxy tab, verify that Enable Web Proxy clients isselected, that Enable HTTP is selected, and that in HTTP Port, 8080 is
specified, and then clickOK.
4.2.2 Create network rules
As part of the installation process, a default Internet Access network rule was created.
This rule defines a relationship between the Internal network and the External network.To verify the rule configuration, perform the following steps:
1. Expand the Configuration node, and clickNetworks.
2. On the Network Rules tab, double-click the Internet Access rule to display the
Internet Access Properties dialog box.3. On the Source Networks tab, verify that Internal is listed. If it is not, do the
following:
a. Click Add.b. In Add Network Entities, clickNetworks, clickInternal, clickAdd, and
then clickClose.
4. On the Destination Networks tab, verify that External is listed. If it is not, do thefollowing:
a. Click Add.
b. In Add Network Entities, clickNetworks, clickExternal, clickAdd,
and then clickClose.5. On the Network Relationship tab, select Network Address Translation (NAT).
6. Click OK.
7. In the details pane, clickApply to apply changes, if you made any.
-
8/14/2019 Isa 2004 II
25/39
4.2.3 Create policy rules
To allow the internal client access to the Internet, you must create an access rule allowing
the internal clients to use HTTP and HTTPS protocols. Perform the following steps:
1. Click Firewall Policy. On the task pane, select the Tasks tab, and clickCreateNew Access Rule to start the New Access Rule Wizard.
2. On the Welcome page, type the name of the rule. For example, type AllowInternal clients HTTP and HTTPS access to the Internet. Then, clickNext.
3. On the Rule Action page, select Allow, and then clickNext.4. On the Protocols page, in This rule applies to, select Selected protocols, and
then clickAdd.
5. In the Add Protocols dialog box, expand Common Protocols. ClickHTTP,clickAdd, clickHTTPS, clickAdd, and then clickClose. Then, clickNext.
6. On the Access Rule Sources page, clickAdd.
7. In the Add Network Entities dialog box, clickNetworks, and then select
Internal. ClickAdd, and then clickClose. Then, clickNext.8. On the Access Rule Destinations page, clickAdd.
9. In the Add Network Entities dialog box, clickNetworks, and then select
External. ClickAdd, and then clickClose. Then, clickNext.10. On the User Sets page, verify that All Users is specified. Then, clickNext.
11. Review the summary page, and then clickFinish.
12. In the details pane, clickApply to apply the changes you made. Note that it maybe a few moments before the changes are applied.
4.2.4 Test the scenario
To verify that the scenario works, InternalClient1 will access ExternalWebServer on theExternal network (MockInternet).
On InternalClient1, perform the following steps:
1. On InternalClient1, open Internet Explorer 6.0.
2. In Internet Explorer, click the Tools menu, and then clickInternet Options.
3. On the Connections tab, clickLAN Settings.4. In Proxy server, select the Use a proxy server for your LAN check box.
5. In Address, type the computer name of ISA_1 and in Port, type 8080. If there is
no DNS server in your lab configuration, use the IP address of ISA_1 rather than
its name.6. Verify that Automatically detect settings is not selected.
7. Close Internet Explorer. Then, reopen Internet Explorer.8. In Internet Explorer, in Address, type the IP address of ExternalWebServer.
Note that if a DNS server is available for name resolution on MockInternet, you
can type the fully qualified domain name (FQDN) of ExternalWebServer.
-
8/14/2019 Isa 2004 II
26/39
If your browser displays the Web page published on ExternalWebServer, InternalClient1
accessed ExternalWebServer, and you have successfully configured this scenario.
Back to Contents
4.3 Scenario 3: Create and configure a restricted computerset
In this scenario you will create a computer set within the Internal network, and deny it
access to the Internet. The following computers are required:
ISA_1 with at least two network adapters.
InternalClient2, on CorpNet.
ExternalWebServer, on MockInternet, to test the scenario.
The following sections describe how to configure the solution:
4.3.1 Configure the restricted computer set
4.3.2 Restrict access to the Internet
4.3.3 Test the scenario
4.3.1 Configure the restricted computer set
The following example uses the IP addresses associated with the lab deployment Internal
network: 10.0.0.0 through 10.255.255.255. In the example, you will create a computer setcontaining the IP addresses 10.54.0.010.55.255.255, which includes InternalClient2.
Perform the following steps:
1. Open Microsoft ISA Server Management, expand ISA_1, and clickFirewall
Policy.
2. On the task pane, select the Toolbox tab, select Network Objects, clickNew, and
then select Computer Set.
3. In Name, type a name for the new computer set, such as Restricted Computer
Set.
4. Click Add and select Address Range.
5. In the New Address Range Rule Element dialog box, provide a name for theaddress range, such as Range for Restricted Computer Set. Provide an IP
address range that includes the address of InternalClient2, such as 10.54.0.0
10.55.255.255, and then clickOK.6. Click OKto close the New Computer Set Rule Element dialog box.
7. In the details pane, clickApply to apply the changes you made.
8. Save the network configuration to an .xml file, so that if you make a make a
configuration change that changes or destroys this network object, you canrecover its configuration. On the task pane, in the Toolbox tab, select NetworkObjects, expand Computer Sets, right-click the newly defined computer set, and
select Export Selected. Choose a location in which to save the file containing the
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#CnfHRNet#CnfHRNethttp://g/isastart.htm#HRAccessPolicy#HRAccessPolicyhttp://g/isastart.htm#HRTest#HRTesthttp://g/isastart.htm#contents#contentshttp://g/isastart.htm#CnfHRNet#CnfHRNethttp://g/isastart.htm#HRAccessPolicy#HRAccessPolicyhttp://g/isastart.htm#HRTest#HRTest -
8/14/2019 Isa 2004 II
27/39
configuration information, and a name that describes its contents, such as
Restricted computer set export file. ClickExport to export the configuration.
9. When the export operation is complete, clickOKto close the status dialog box.
4.3.2 Restrict access to the Internet
You can now create an access rule denying Internet access to the computer set. Note thatthe order of the access rules will affect whether the computer set will be able to access the
Internet. ISA Server reads access rules in order, and will allow access if it reads the
Internal network allow rule before it reads the Restricted Computer Set deny rule.
To create an access rule that denies access from the Restricted Computer Set to theExternal network, perform the following steps:
1. Click Firewall Policy. In the task pane, select the Tasks tab, and clickCreateNew Access Rule to start the New Access Rule Wizard.
2. On the Welcome page, type the name of the rule. For example, type DenyRestricted Computer Set HTTP and HTTPS access to the Internet. Then,
clickNext.
3. On the Rule Action page, select Deny, and then clickNext.4. On the Protocols page, in This rule applies to, select Selected protocols, and
then clickAdd.
5. In the Add Protocols dialog box, clickCommon Protocols. ClickHTTP, click
Add, clickHTTPS, clickAdd, and then clickClose. Then, clickNext.
6. On the Access Rule Sources page, clickAdd.
7. In the Add Network Entities dialog box, clickComputer Sets, and then select
Restricted Computer Set. ClickAdd, and then clickClose. Then, clickNext.
8. On the Access Rule Destinations page, clickAdd.9. In the Add Network Entities dialog box, clickNetworks, and then select
External. ClickAdd, and then clickClose. Then, clickNext.10. On the User Sets page, verify that All Users is specified. Then, clickNext.
11. Review the summary page, and then clickFinish.
12. In the details pane, clickApply to apply the changes you made.13. Save the rule to an .xml file so that if you make a basic change, such as running a
Network Template Wizard, you can import the rule. In the details pane, right-click
the newly defined rule, and select Export Selected. Choose a location in which tosave the file containing the rule information, and a name that describes its
contents, such as Restricted Computer Set Internet Deny Rule.xml. Click
Export to export the rule.14. When the export operation is complete, clickOKto close the status dialog box.
4.3.3 Test the scenario
To verify that the scenario works, InternalClient2 in the Restricted Computer Set will tryto access ExternalWebServer on the External network (MockInternet).
-
8/14/2019 Isa 2004 II
28/39
On InternalClient2, perform the following steps:
1. On InternalClient2, open Internet Explorer 6.0.
2. In Internet Explorer, click the Tools menu, and then clickInternet Options.3. On the Connections tab, clickLAN Settings.
4. In Proxy server, select the Use a proxy server for your LAN check box.5. In Address, type the computer name (or IP address, if you do not have a DNS
server configured) of ISA_1 and in Port, type 8080.6. Verify that Automatically detect settings is not selected.
7. Close Internet Explorer. Then, reopen Internet Explorer.
8. In Internet Explorer, in Address, type the IP address of ExternalWebServer.
Note If a DNS server is available for name resolution on MockInternet, you can
type the FQDN of ExternalWebServer.
If your browser displays an access denied page, you configured the computer set and
deny rule successfully.
The deny access rule you created appears first in the list of access rules in the Firewall
Policy details pane. If you move it down in order below the Allow Internal clientsHTTP and HTTPS access to the Internet allow rule (created in the previous scenario),
ISA Server will evaluate the allow rule first, and computers in the Restricted ComputerSet will have access to the Internet. To change the order of the deny rule, right-click the
rule and select Move Down. After you move the deny rule below the allow rule and
apply changes by clicking the Apply button in the details pane, test the Internet accessagain. InternalClient2 should now have Internet access.
If your browser now displays the Web page published on ExternalWebServer,
InternalClient2 accessed ExternalWebServer, and you have successfully configured thisscenario.
Back to Contents
4.4 Scenario 4: Create a perimeter network using the Network
Template Wizard
In this scenario, you will use the Network Template Wizard to create a perimeternetwork.
To configure this scenario, you will perform the following steps:
4.4.1 Create a perimeter network
4.4.2 Restore restricted computer set access rule
4.4.1 Create a perimeter network
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#Scen4CnfNet#Scen4CnfNethttp://g/isastart.htm#Scen4Restore#Scen4Restorehttp://g/isastart.htm#contents#contentshttp://g/isastart.htm#Scen4CnfNet#Scen4CnfNethttp://g/isastart.htm#Scen4Restore#Scen4Restore -
8/14/2019 Isa 2004 II
29/39
You will use the Network Template Wizard to create the perimeter network, and to
establish Internet access from the Internal network to the Internet.
To create a perimeter network, perform the following steps:
1. In Microsoft ISA Server Management, expand ISA_1, clickConfiguration, andthen clickNetworks.
2. In the task pane, on the Templates tab, select 3-Leg Perimeter. This starts the
Network Template Wizard.3. On the Welcome page, clickNext.
4. On the Export the ISA Server Configuration page, clickExport if you want to
preserve your current configuration. With this step, you can revert to your current
configuration by importing it from the saved file. If you clickExport, provide alocation and a descriptive file name such as Configuration prior to configuring3-leg Perimeter, and clickExport.
5. On the Export the ISA Server Configuration page, clickNext.
6. On the Internal Network IP Addresses page, use the Add and Remove buttonsto ensure that only the IP addresses of the Internal network are shown. This would
include the IP address of InternalClient1 and the IP address of the network adaptercard on ISA_1 that connects to the Internal network. ClickNext.
7. On the Perimeter Network IP Addresses page, use the Add and Remove buttons
to ensure that only the IP addresses of the perimeter network are shown. Thiswould include the IP address of Perimeter_IIS, and the IP address of the network
adapter card on ISA_1 that connects to the perimeter network. ClickNext.
8. On the Select a Firewall Policy page, select Allow limited Web access to create
an access rule allowing access from the Internal network to the External network(upon completion of the wizard), and then clickNext.
9. On the summary page, review the network configuration, and then clickFinish.10. In the details pane, clickApply to apply the changes you made using the wizard.
Note: The Network Template Wizard creates two network rules: one that createsa route relationship between the perimeter network and the External network (the
Perimeter Access rule), and one that creates a NAT relationship between the
Internal network and the perimeter network (the Perimeter Configuration rule).Verify that the rules were created by selecting the Network Rules tab in the
Networks details pane.
A route relationship is bidirectional. Routing is from source to destination and
destination to source. A NAT relationship is unidirectional. Routing is from sourceto destination.
4.4.2 Restore restricted computer set access rule
When you ran the Network Template Wizard and applied changes, you removed the
restricted computer set and the access rule denying the restricted computer set access to
-
8/14/2019 Isa 2004 II
30/39
the Internet. You could create these again, or you can import them from the .xml files you
saved when you created the restricted computer set and its access rule.
To import the configuration, perform the following steps:
1. In Microsoft ISA Server Management, expand ISA_1, right-clickFirewallPolicy, and select Import.
2. Provide the location and file name for the exported access rule, such as
Restricted Computer Set Internet Deny Rule.xml created in Scenario 3, andclickImport. When the import is complete, clickOK.
3. In the details pane, clickApply to apply the changes you made.
Note When you import an access rule, you also import the rule elements that it
refers to, so there is no need to import the computer set separately. You can importrule elements separately by right-clicking the type of rule element in the task
pane, on the Toolbox tab, and selecting Import All.
Back to Contents
4.5 Scenario 5: Publish a Web server on the perimeternetwork
In this scenario, a Web server located on the perimeter network will be made available to
users on the Internet.
You use Web publishing rules to publish Web servers. Web publishing rules require Weblisteners, which listen for Web requests.
The following computers are required:
ISA_1, with at least three network adapters.
Perimeter_IIS, on PerimeterNet, to test the scenario.
External1, on MockInternet, to test the scenario.
To configure this scenario, you will perform the following steps:
4.5.1 Create a Web publishing rule
4.5.2 Test the scenario
4.5.1 Create a Web publishing rule
To create a Web publishing rule allowing a client computer on the Internet (External1)access to a Web server on the perimeter network (Perimeter_IIS), perform the following
steps:
1. In Microsoft ISA Server Management, expand ISA_1, and clickFirewall Policy.
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#Scen5AccessRule#Scen5AccessRulehttp://g/isastart.htm#Scen5Test#Scen5Testhttp://g/isastart.htm#contents#contentshttp://g/isastart.htm#Scen5AccessRule#Scen5AccessRulehttp://g/isastart.htm#Scen5Test#Scen5Test -
8/14/2019 Isa 2004 II
31/39
2. In the task pane, on the Tasks tab, clickPublish a Web server to start the New
Web Publishing Rule Wizard.
3. On the Welcome page, in Web publishing rule name, type the rule name: Allow
External to Perimeter_IIS. ClickNext.
4. On the Select Rule Action page, select Allow, and then clickNext.
5. On the Define Website to Publish page, in Computer name or IP address, typethe IP address or computer name of the Web server to publish, and then click
Next.
Note: On the Define Website to Publish page, in Folder, you can specify a
specific folder to publish.
6. On the Public Name Details page, verify that This domain name is selected. Inthe text box underThis domain name, type the public domain name or IP address
of the published website. This is what the user will type in the address field of the
browser to access your website. In a laboratory setting where there is no
resolvable name, use the IP address of the ISA Server computer's external networkadapter. You can specify a folder, which will be appended to the name and is then
displayed in Site. ClickNext.7. On the Select Web Listener page, clickNew to start the New Web Listener
Wizard.
8. On the Welcome page of the New Web Listener Wizard, in Web listener name,type the name of the Web listener: Listen on Port 80 of External Network.
Then, clickNext.
9. On the IP Addresses page, select External, and then clickNext. This listener will
then listen for requests from the External network.10. On the Port Specification page, in HTTP port, type 80. Optionally, you can
select Enable SSL and an SSL port if you want to publish on HTTPS. This wouldrequire you to select a certificate on this page, using the Select button. Click
Next.
11. Review the summary page, and then clickFinish to close the New Web Listener
Wizard.12. On the Select Web Listener page, clickNext.
13. On the User Sets page, verify that All Users is listed in This rule applies torequests from the following user sets. ClickNext.
14. Review the summary page, and then clickFinish.15. In the details pane, clickApply to apply the changes you made.
Note: You can create and modify Web listeners independently of Web publishing
rules. Access to existing Web listeners is through the Web Listeners folder on the
Toolbox tab in the Firewall Policy task pane. To create a new Web listener, in the
Firewall Policy task pane, on the Toolbox tab, clickNew, and then select WebListener.
4.5.2 Test the scenario
-
8/14/2019 Isa 2004 II
32/39
To verify that the scenario works, the external client, External1, will access
Perimeter_IIS, the HTTP server located on the perimeter network (PerimeterNet). On
External1, perform the following steps:
1. Open Internet Explorer.
2. Verify that no proxy client is configured. To do this, on the Tools menu, selectInternet Options. On the Connections tab, clickLAN Settings. Verify that none
of the following check boxes are selected: Automatically detect settings, Use
automatic configuration script, and Use a proxy server for your LAN. Click
OKto close Internet Options.
3. In Address, type the IP address of the ISA Server computer's external networkadapter.
If the client accessed the default website on Perimeter_IIS, you successfully configured
this scenario.
Back to Contents
4.6 Scenario 6: Publish a Web server on the Internal
network
In this scenario, a Web server located on the Internal network will be made available to
users on the Internet. The following computers are required:
ISA_1, with at least two network adapters available.
InternalWebServer as the Web server, to test the scenario.
External1 on MockInternet as the external client, to test the scenario.
To configure this scenario, you will perform the following steps:
4.6.1 Create network rules
4.6.2 Publish the Web server
4.6.3 Test the scenario
4.6.1 Create network rules
Before you verify the network rule defining the network relationship between Internal
and External networks, see section 4.2.1 for instructions on validating the configuration
of the Internal network.
Upon installation, a default network rule, defining a NAT relationship from the Internal
network to the External network, was created. On ISA_1, to verify that the rule isproperly configured, perform the following steps:
1. In Microsoft ISA Server Management, expand ISA_1, expand the
Configuration node, and then clickNetworks to view the Networks details pane.
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#Scen6CnfNetRule#Scen6CnfNetRulehttp://g/isastart.htm#Scen6Publish#Scen6Publishhttp://g/isastart.htm#Scen6Test#Scen6Testhttp://g/isastart.htm#CnfNet#CnfNethttp://g/isastart.htm#contents#contentshttp://g/isastart.htm#Scen6CnfNetRule#Scen6CnfNetRulehttp://g/isastart.htm#Scen6Publish#Scen6Publishhttp://g/isastart.htm#Scen6Test#Scen6Testhttp://g/isastart.htm#CnfNet#CnfNet -
8/14/2019 Isa 2004 II
33/39
2. In the details pane, click the Network Rules tab. You can verify the rule in the
details pane, or open the rule properties as described in the following steps.
3. Double-click the Internet Access rule to open Internet Access Properties.4. On the General tab, ensure that the rule is enabled.
5. On the Source Networks tab, ensure that the Internal network is listed.
6. On the Destination Networks tab, ensure that the External network is listed.7. On the Network Relationship tab, ensure that Network Address Translation is
selected.
4.6.2 Publish the Web server
Use Web publishing rules to allow external clients to access the Web server located on the
Internal network.
Publishing the Web server requires that you create a Web publishing rule. In the processof creating the rule, you will also create a Web listener that specifies on which IP
addresses ISA Server will listen for requests for the internal website. If you still have thelistener that you created for the perimeter Web publishing scenario, you should use it inthis scenario, rather than create a new listener.
Note: You can create and modify Web listeners independently of Web publishing rules.
Access to existing Web listeners is through the Web Listeners folder on the Toolbox tab
in the Firewall Policy task pane. To create a new Web listener, in the Firewall Policy taskpane, on the Toolbox tab, clickNew, and then select Web Listener.
To create a Web publishing rule allowing a client computer on the Internet (External1)
access to a Web server on the Internal network (InternalWebServer), perform the
following steps:
1. In Microsoft ISA Server Management, expand ISA_1, and clickFirewall Policy.2. In the task pane, on the Tasks tab, clickPublish a Web server to start the New
Web Publishing Rule Wizard.
3. On the Welcome page, in Web publishing rule name, type the rule name: Allow
External to InternalWebServer. ClickNext.
4. On the Select Rule Action page, select Allow, and then clickNext.
5. On the Define Website to Publish page, in Computer name or IP address, typethe IP address or computer name of the Web server to publish. In a laboratory
setting where there is no resolvable name, use the IP address of the ISA Server
computer's external network adapter. ClickNext.
Note: On the Define Website to Publish page, in Folder, you can specify aspecific folder to publish. In a laboratory setting where there is no DNS server,
you would use the same IP address to identify both the perimeter and internal Web
servers, so only one will be available at a time, based on which rule appears firstin the rule order. In a production deployment, or in a laboratory deployment with
-
8/14/2019 Isa 2004 II
34/39
a DNS server, the use of names that are resolved by a DNS server would
eliminate this issue.
6. On the Public Name Details page, verify that This domain name is selected. Inthe text box underThis domain name, type the public domain name or IP address
of the published website. This is what the user types in the address field of thebrowser to access your website. You can specify a folder, which will be appended
to the name and is then displayed in Site. ClickNext.7. On the Select Web Listener page, clickNew to start the New Web Listener
Wizard.
8. On the Welcome page of the New Web Listener Wizard, in Web listener name,type the name of the Web listener: Listen on Port 80 of External Network.
Then, clickNext.
9. On the IP Addresses page, select External, and then clickNext. This listener willthen listen for requests from the External network.
10. On the Port Specification page, in HTTP port, type 80. Optionally, you can
select Enable SSL and an SSL port if you want to publish on HTTPS. This wouldrequire you to select a certificate on this page, using the Select button. Click
Next.
11. Review the summary page, and then clickFinish.
12. On the Select Web Listener page, clickNext.13. On the User Sets page, verify that All Users is listed in This rule applies to
requests from the following user sets. ClickNext.
14. Review the summary page, and then clickFinish.15. In the details pane, clickApply to apply the changes you made.
4.6.3 Test the scenario
To verify that the scenario works, the external client, External1, will access
InternalWebServer, the HTTP server located on the Internal network (CorpNet). ISA_1
will listen for the requests on behalf of InternalWebServer, and forward them inaccordance with the Web publishing rule to InternalWebServer.
On External1, perform the following steps:
1. Open Internet Explorer.
2. In Address, type the IP address of the external adapter on ISA_1.
If the client accessed the default website on InternalWebServer, you successfullyconfigured this scenario.
Back to Contents
4.7 Scenario 7: Configure virtual private networking
http://g/isastart.htm#contents#contentshttp://g/isastart.htm#contents#contents -
8/14/2019 Isa 2004 II
35/39
In this scenario, ISA Server serves as the VPN server for remote clients connecting to the
corporate (Internal) network. The following computers are required:
ISA_1, with at least two network adapters available.
External1 on MockInternet, the VPN client, to test the scenario.
InternalClient1 on Corpnet, to test the scenario.
The following sections describe how to configure the scenario:
4.7.1 Enable VPN client access
4.7.2 Create access rules
4.7.3 Create a Windows user with dial-up permissions
4.7.4 Create a network dial-up connection
4.7.5 Test the scenario
4.7.1 Enable VPN client access
In this step, you will enable VPN client access. To allow VPN connections, you must
enable virtual private networking. All other VPN client properties will assume the default
settings. This includes the default settings for the pool of IP addresses dynamicallyassigned from the Internal network, which will be available for clients connecting to ISA
Server. This solution also assumes a dynamically assigned name resolution server that
VPN clients can use to resolve names on the Internal network.
To configure the VPN properties, perform the following steps:
1. In Microsoft ISA Server Management, expand ISA_1, and clickVirtual Private
Networks (VPN).2. In the task pane, on the Tasks tab, clickEnable VPN Client Access.
3. In the details pane, clickApply to appl