MICROSOFT ISA SERVER 2006
Series Index
- Getting started with Microsoft ISA Server 2006, Part 1: Introduction
- Getting started with Microsoft ISA Server 2006, Part 2: Environment Setup
- Getting started with Microsoft ISA Server 2006, Part 3: Installation
- Getting started with Microsoft ISA Server 2006, Part 4: Service Pack 1
- Getting started with Microsoft ISA Server 2006, Part 5: Network Layout Concept
- Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout
- Getting started with Microsoft ISA Server 2006, Part 7: Create DNS Lookup Rule
- Getting started with Microsoft ISA Server 2006, Part 8: Create Web Access Rule
- Getting started with Microsoft ISA Server 2006, Part 9: Client Configuration
- Getting started with Microsoft ISA Server 2006, Part 10: Logging
- Getting started with Microsoft ISA Server 2006, Part 11: HTTP Filtering
- Getting started with Microsoft ISA Server 2006, Part 12: Block Windows Live Messenger
INTRODUCTION
History of ISA Server
The history of ISA Server starts from Microsoft Proxy Server 1.0 and Microsoft Proxy Server 2.0 which both were released in 1997. They were merely designed to provide internet access (Internet Sharing) and came in only one edition of each version. Microsoft Proxy Server 1.0 only has basic functionality and many limitations. The second version improves many features from the previous version. It supports Windows NT account integration, many more protocols, packet filtering capability.Then, ISA Server 2000 was released in 2001. And in 2004 for ISA Server 2004 and ISA Server 2006 in 2006. Each product has two editions: Standard and Enterprise. ISA Server 2004 introduced multi-networking support, integrated virtual private networking (VPN) configuration, Application-Layer Firewall support, support for the H.323 protocol, Active Directory Integration, SecureNAT, Secure Server Publishing, and improved reporting and management features. The rules based configuration was also considerably simplified on ISA Server 2000. ISA Server 2004 Enterprise Edition included array support, integrated Network Load Balancing (NLB), and Cache Array Routing Protocol (CARP). One of the core capabilities of ISA Server 2004 was its ability to securely publish Web servers. ISA Server 2006 is an updated version of ISA Server 2004. It doesn't has major difference compare to ISA Server 2004. Most features and interface of both versions are quite similar.
The future version of ISA Server is Forefront Threat Management Gateway which runs only on 64-bot platform and Windows Server 2008. At this time, the current version is beta 3.
Features of ISA Server 2006
Microsoft ISA Server 2006 has 2 editions: Standard and Enterprise. The major different of the two editions are scalability and network load balancing capable. The standard edition can be installed on a single server up to 4 CPUs and memory (RAM) limits at 2 GB. See Comparison of Standard and Enterprise Editions for ISA Server 2006 for more information.Here is the summary features of ISA Server 2006:
- Multi-layer firewall. Provides three types of firewall functionality: packet filtering (also called circuit-layer), stateful filtering, and application layer filtering.
- Application layer filtering. Provides deep content filtering through built-in application filters.
- Virtual private networking capability.
- Intrusion detection capability. Flood protection such as denial of service (DoS) and distributed denial of service (DDoS) attacks, IP spoofing protection, etc.
- Supports various authentication. Authenticate users with built-in Windows, LDAP, RADIUS, or RSA SecurID authentication.
Environment Setup
In the first part, you learn an overview of ISA Server 2006. Before going to the real example on ISA Server 2006, you should know system environment which I'm going to use on this series. On this post, you will know the hardware and software requirements for ISA Server 2006. And you will see the server and network configurations.System Requirements
Below is the minimum requirements for ISA Server 2006 Standard Edition or ISA Server 2006 Enterprise Edition.- Pentium III 733 MHz or higher.
- 512 MB of RAM or more.
- 150 MB of free hard-disk space.
- Microsoft Windows Server 2003 32-bit operating system with Service Pack 1 (SP1) or Microsoft Windows Server 2003 R2 32-bit.
Server Configuration
There are three servers which I will use throughout this series. I already have the following servers in the network:- BKKNET001 which runs under Windows XP Professional. This is a client PC for test Internet access. The IP address is obtained from the DHCP server.
Network Configuration
I try to keep the network configuration simple as possible. You will see on the left side of the ISA Server 2006 server are my internal network (LAN). It contains clients and a server of my network. On the right side of the ISA Server 2006 server is the external network. It connects to the router which connects to the Internet.The image below is the network diagram of my example.
What's Next?
INSTALLATION
Getting started with Microsoft ISA Server 2006, Part I: Installation
Introduction
Microsoft Internet Security & Acceleration Server 2006 is a firewall and proxy product from Microsoft. It can protects local network from hackers, limit access for internet access, improve internet speed for users and also logging any connections that pass through ISA Server. |
This post will show how to install ISA Server 2006 Standard Edition on a Windows 2003 Server which has 2 network interfaces: one is connected to internal network(LAN) and the other connected to external(Internet). The diagram is as below:
Step-by-step
- Open ISA setup program.
- Click Next.
- Enter your license information. Click Next.
- Select Setup Type. If you want to customize features or change installed directory, select Custom. Otherwise, select Typical. I leave Typical for convenience.
- On Internal Network, you must enter your internal IP address range. You can do this by adding manually or select from network adapter. Before click Next, ensure that your network addressed was configured correctly.
- On Firewall Client Connections, if you haven't upgrade from previous ISA Server(ISA 2000 or 2004), leave the check box uncheck and click Next. Otherwise, check the check box before continue.
- On Service Warning, click Next. Notice that some of services will be restarted or disabled while installing.
- Click Install.
- Wait for install finishes.
- You can check "Invoke ISA Server Management when the wizard closes" if you want to configure ISA now.
- Now you have finished installing ISA Server 2006. For configure the ISA details, continue on the next part.
Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology
Network Topology
From Part I, you have finished install ISA Server 2006. Before using the server, you need to do some configurations first. On Getting Started with ISA Server 2006 page on ISA Server Management, there are 5 steps for set up ISA Server as the figure below.
To use ISA Server, only first 2 steps on the figure above are needed to be configured so this part will shows how to configure Network Topology on ISA Server which is the first step in the figure above. For the second step, I will cover in the next part(part III). Also, you need to enable client to access ISA Server by configure on clients,too. Client Configuration will be covered in part IV.
Step-by-step
Next, I will create a new web access rule for all users in internal network to access internet(external network) with only HTTP (port 80) and HTTPS (port 443) protocols.
Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule
Firewall Policy
From part II, you have configured Network Topology. Now you need to create a policy rule to allow traffic pass through the ISA Server.
By default, ISA Server is configured with default rule which blocks all traffics pass through ISA Server. But you can customize rules to match your policy in organization. On each rule, you can customize to allow or deny access, protocols, source and destination addresses, users (ISA Server can integrated with Active Directory), time to use the rule, content types.
- New Access Rule Wizard appears, enter the name of access rule. Click Next.
- On Rule Action, select Allow. Click Next.
- On Protocols, click Add. Add Protocols window appears, expand Common protocols and select HTTP and HTTPS.
- On Access Rule Sources, click Add. Add Network Entities window appears, expand Networks and select Internal.
- On Access Rule Destinations, add External network.
- On User Sets, leave All Users. Click Next.
- Click Finish to complete create new rule.
- Again, don't forget to apply your setting on ISA Server to take effect. Click Apply.
- Next part will be about client configuration to access to ISA Server
Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type
After completed part III, you have done basic configurations on ISA Server. In this part, you're going to configure on client computer to be one of these types: SecureNAT Client, Firewall Client or Web Proxy Client. You can see more detail in topic below.
Client Types
The table below compares the ISA Server clients.
Feature\ Client types | SecureNAT client | Firewall client | Web Proxy client |
Installation required | Some network configuration changes may be required | Yes | No, Web browser configuration required |
Operating system support | Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP) | Only Windows platforms | All platforms, but by way of Web application |
Protocol support | Application filters for multiple connection protocols required | All Winsock applications | Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), File Transfer Protocol (FTP), and Gopher |
User-level authentication | Some network configuration changes required | Yes | Yes |
Server applications | No configuration or installation required | Configuration file required | Not applicable |
On this section, I will how to configure each client type on a client computer. You only select one of these three client types configurations.
- Download Firewall Client for ISA Server at Microsoft or at here – Microsoft Firewall Client.
- Run setup program, set the ISA Server DNS name or IP Address on ISA Server Computer Selection page.
- After install, you'll see icon as the figure below in task icon. The green color means the client has successfully connected to ISA Server. If the red shows, the client can't connect to ISA Server. You can double-click on icon to see more detail.
- If you have double-clicked on previous step, select Settings tab and you can verify that ISA Server Selection is type correctly or not. Also, click on Apply Default Settings Now for other users on this computer can use this configuration,too.
- Download Firewall Client for ISA Server at Microsoft or at here – Microsoft Firewall Client.
- Open Web browser. In this example, I demonstate on Internet Explorer.
- On menu bar, select Tools -> Internet Options.
- On Internet Options, select Connections tab and click on LAN Settings.
- On Local Area Network (LAN) Settings, set Address and Port to your ISA Server configuration.
Note: By default, Web proxy port is 8080.
- Open Web browser. In this example, I demonstate on Internet Explorer.
Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter
Have you ever need to block users using MSN or Yahoo Messenger? Or block them to using free email services? Or even block them to post anythings on web boards? Or block them to using bit torrent to download files? This topic can answer these questions by using Microsoft ISA Server 2006.
From Part I to IV, you have finished simple configurations on Microsoft ISA Server 2006 to work in your network. But ISA Server can do a lot more than that. Another benefit of ISA Server is that it can filter HTTP traffic. If you know attributes of each HTTP traffic, you can block MSN/Yahoo Messenger, Bit torrent, web mail, disallow post on web boards, etc by allow or block HTTP traffic using HTTP filter. I think most of the readers may not familiar what HTTP traffic look like so let's see about HTTP traffic in the next section.
Note: This topic isn't require in order to running ISA Server, only Part I to IV are sufficient. But this topic will be benefits in most organization to improve security.
HTTP Traffic
HTTP Traffic on ISA Server is a data that pass through ISA Server using HTTP protocol (by default is on port 80) which is the protocol that is used by most applications. On each HTTP connection, there will be a header information about client that send to server or server to client. These information are such as Request Methods (GET, POST ,etc.), HTTP Versions (1.0,1.1,1.2), User-Agent (Mozilla/4.0, Firefox, etc.), Content-Type (application/xml, image/jpeg, text/xml, etc.), etc. I will not go into deep detail about HTTP protocol if you want more information, you can find at Wikipedia – HTTP. With these header information, ISA Server can filter HTTP traffic to allow or block specific application or traffic.To see some sample of HTTP traffic, you can use sniffer program to capture each data packet that pass in/out a computer. The popular one is Ethereal. I have installed Ethereal on a computer which running a web server. Let see the different example of each HTTP header information below.
When client sends request to the web server by browser the Internet Explorer to http://bkkexternal (bkkexternal is the computer that runs a web server).
Detail: The request method is GET. URI is /. The User-Agent is Mozilla (compatible: MSIE 6.0).
This the response header from the above request.
Detail: The response code is 200 (OK). The server is running by Apache 2.2.4. The Content-Type is text/xml
When you submit a form on the browser to the web server.
Detail: The request method is POST. The client host is bkkmisc01. The Content-Type is application/x-www-form-urlencoded.
Note: "/r/n" is tag that tells end of a line, a control line feed.
Configurations
To configure HTTP filter, you need to know what attribute and value need to be configured. On this post, I will show only the following:
- Block specific browser: Firefox.
- Block MSN Messenger, Windows Live Messenger.
- Block download file .torrent.
- Block AOL Messenger.
- Block Yahoo Messenger.
- Block Kazaa.
- Block free web mail. (e.g. hotmail.com, mail.yahoo.com, etc.)
- Block post on web boards.
- Open Microsoft ISA Server Management Console.
- Right-click on the rule that being configured HTTP filter -> select Configure HTTP.
- Click on Signatures tab and click Add.
- Block specific browser: Firefox.
To block users to use Firefox browser by configure signature to "Firefox", "User-Agent" in HTTP Header and Request headers in Search in. - Block download file .torrent.
To block download any .torrent files by configure signature to "application/x-bittorrent", "Content-Type" in HTTP Header and Request headers in Search in. - Block AOL Messenger.
To block users to use AOL Messenger by configure signature to "Gecko", "User-Agent" in HTTP Header and Request headers in Search in. - Block Yahoo Messenger.
To block users to use Yahoo Messenger by configure signature to "msg.yahoo.com", "Host" in HTTP Header andRequest headers in Search in. - Block Kazaa.
To block users to use Kazaa by configure signature to "KazaaClient", "User-Agent" in HTTP Header and Request headers in Search in. - Block free web mail. (e.g. hotmail.com, mail.yahoo.com, etc.)
To block users to access free web mail, block any URL that contain string "mail" by configure on signature to mail. - If the users are blocked by HTTP filter, they will see page like the figure.
"Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter."
This is the end of this serie. After complete this serie, starting from install ISA Server, configure the network topology, configure basic rule, configure client types and configure HTTP filter, now you have basic knowledge and understanding how to operate ISA Server on your own. But there are some configurations, I don't cover for instance how to configure cache on ISA Server, how to implement VPN, etc.
Getting started with Microsoft ISA Server 2006, Part 4: Service Pack 1
Update Service Pack 1
From Part 3: Installation, I have installed ISA Server 2006 enterprise edition on the server. At this time, there is a service pack for ISA Server 2006 which you can download from Microsoft website. So I am going to show how to update the server to ISA Server 2006 Service Pack 1 on this post.
Note: There are others security updates for ISA Server 2006 available besides the service pack which I will not cover on this series. So you should check and update them on your own.
There are many new features and enhancements on the ISA Server 2006 service pack 1:
New Features
- Configuration Change Tracking. Registers all configuration changes applied to ISA Server to help you assess issues that may occur as a result of these changes.
- Web Publishing Rule Test Button. Tests the consistency of a Web publishing rule between the published server and ISA Server.
- Traffic Simulator. Simulates network traffic in accordance with specified request parameters, such as an internal user and the Web server, providing information about firewall policy rules evaluated for the request.
- Diagnostic Logging Query. Now integrated as a tab into the ISA Server Management console, this feature displays detailed events on packet progress and provides information about handling and rule matching.
- Support for integrated NLB mode in all three modes, including unicast, multicast, and multicast with Internet Group Management Protocol (IGMP). Previously, ISA Server integrated NLB-supported unicast mode only.
- Support for certificates with multiple Subject Alternative Name (SAN) entries in published web servers.
- Kerberos Constrained Delegation (KCD) authentication supports trusted-domain user accounts.
- Improve Web Publishing Load Balancing (WPLB) cookie handling.
- Alert Improvements.
- New performance counter.
Step-by-step
- Download the file from Microsoft Internet Security and Acceleration (ISA) Server 2006 Service Pack 1.
- Double-click the downloaded file, ISA2006-KB943462-X86-ENU.msp, to run the setup wizard.
- On Welcome to the Update for Microsoft ISA Server 2006 Service Pack 1, click Next.
- On License Agreement, select I accept the terms in the license agreement and click Next.
- On Locate Configuration Storage Server, you have to specify the Configuration Storage Server. On this example, I leave it as default and click Next.
- On Ready to Install the Program, click Install.
- On Installing Microsoft ISA Server 2006 Service Pack 1, wait until the installation completes.
- On Installation Wizard Completed, click Finish.
- There is a pop-up message asks you to restart the system for the configuration changes made to ISA Server 2006 to take effect. Click Yes to restart it now.
- Once the system is restarted, you can see the version of ISA Server 2006 is updated by open ISA Server Management. Click Start -> Programs -> Microsoft ISA Server -> ISA Server Management.
- On ISA Server Management, click Help -> About Microsoft ISA Server 2006.
- On About Microsoft ISA Server 2006, you see the current version of ISA Server 2006. The version of ISA Server 2006 Service Pack 1 is 5.0.5723.493.
Getting started with Microsoft ISA Server 2006, Part 5: Network Layout Concept
Configure Network Layout
From Part 3: Installation and Part 4: Service Pack 1, you learn how to install and update ISA Server 2006. Next, it is time to configure the ISA Server 2006. On this post, I am going to show how to configure networking environment for ISA Server 2006 by selecting from the pre-defined network templates.
By default, ISA Server 2006 comes with five pre-defined network templates. You can select one of them that match your networking environment. Let's see each of them in details.
- Edge Firewall
This is a standard network topology for small to medium organization. The ISA Server is a main gateway controlling traffic between the intranet (LAN) and the Internet networks. The ISA Server needs 2 network interface cards. - 3-Leg Perimeter
This is a standard network topology for medium to large organization. There is an additional network which is a perimeter network connects to ISA server compare to the edge firewall. The perimeter network or DMZ (Demilitarized Zone) is a network that is less secure for serving Web server, E-Mail server, DNS server and other services to the Internet users and also the internal users. The ISA Server needs 3 network interface cards. - Front Firewall
This is a network topology for organization that security is high priority. In this case, there are more than one firewall. When a hacker attacks the front firewall and it compromises, there is still a back firewall to protect the internal network. This template, ISA Server acts as front firewall server between the Internet and the perimeter network and needs 2 network interface cards. - Back Firewall
This network template is similar as the front firewall template except that the ISA Server that you're configuring is the back firewall which stands between the internal and the perimeter networks.This template, ISA Server needs 2 network interface cards. - Single Network Adapter
This is a network template for ISA Server to be act as Proxy server only. ISA Server can do caching to improve performance for users using the Internet in organization. This template, ISA Server requires only a single network interface card as the name of the template.
Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout
Configure Network Layout
you learn about network templates. On this post, I will show how to configure networking environment of the ISA Server 2006 using edge firewall template which is the most suitable template for this example. You can see the network diagram of the example on
Step-by-step
- Open ISA Server Management by click Start -> Programs -> Microsoft ISA Server -> ISA Server Management.
- On Microsoft Internet Security and Acceleration Server 2006, expand Arrays -> BKKISA001 -> Configuration ->Networks.
- Select Templates tab and click on the Edge Firewall template.
- A Network Template Wizard window appears, click Next to continue.
- On Export the ISA Server Configuration, you can click on Export button to backup your current ISA Server configuration. But this is the first time configuration so there is no need to backup anything.
- On Internal Network IP Addresses, verify if the IP address ranges are correct. My internal network is 192.168.10.0/24 so the existing range is correct. Click Next.
- Block all
Block all network access through ISA Server. This option does not create any access rules other than the default rule which blocks all access.
Use this option when you want to define firewall policy on your own.
The following access rules will be created:
The following access rules will be created:
The following access rules will be created:
- Block all
- On Completing the Network Template Wizard, click Finish.
- Then, you notice that there is a warning icon at the top of ISA Server Management. This means that the changes which you have made do not take effect yet. To update the configuration, click Apply.
Note: If you want to undo changes that you have made, click Undo. - The changes have been saved.
0 comments:
Post a Comment