PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2005 by Microsoft Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number 2004118212 Printed and bound in the United States of America. 1 2 3 4 5 6 7 8 9 QWT 9 8 7 6 5 Distributed in Canada by H.B. Fenn and Company Ltd. A CIP catalogue record for this book is available from the British Library. Microsoft Press books are available through booksellers and distributors worldwide. For further information about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/learning/. Send comments to [email protected]. Microsoft, Active Directory, ActiveSync, FrontPage, Microsoft Press, MSDN, MSN, Outlook, PowerPoint, SharePoint, Visual Basic, Visual Studio, Win32, Windows, Windows Mobile, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Product Planner: Martin DelRe Content Development Manager: Lori Kane Project Manager: Julie Pickering Project Editor: Susan McClung Technical Editor: Kurt Dillard Technologist: Colin Lyth Copy Editor: Peter Tietjen Proofreaders: Jan Cocker, Cindy Gearhart, and Kiren Valjee Indexer: Jack Lewis Body Part No. X11-10416 As always, I dedicate this book to the three wonderful women in my life: my wife, Rhonda, and my daughters, Angela and Amanda. Stan Reimer To my beautiful and lovely wife, Oksana, and my fantastic son, Rooslan. You make this all possible. Orin Thomas About the Authors Stan Reimer, Microsoft Certified System Engineer (MCSE), and Microsoft Certified Trainer (MCT), is the president of SR Tech- nical Services based in Winnipeg, Manitoba. Stan works as a consultant and trainer specializing in Microsoft ISA Server, Microsoft Exchange Server, and Active Directory design and implementation. Stan has worked as a consultant with some of the largest corporations in Canada, as well as some of the smallest. He is the co-author of Active Directory for Microsoft Windows Server 2003 Technical Reference, published by Microsoft Press, and also authors courseware and security clin- ics for Microsoft Learning. In the summer, Stan finds hitting the road on his motorcycle or hitting golf balls on a golf course to be excellent therapy. In the winter, he just works, because it is too cold in Winnipeg to do anything else. Orin Thomas is a writer, editor, trainer, and systems adminis- trator who works for the certification advice Web site Cert- tutor.net. His work in IT has been varied: he has done everything from providing first-level networking support to a university department to managing mission-critical servers for one of Australia’s largest companies. He has co-authored sev- eral MCSA/MCSE self-paced training kits for Microsoft Learn- ing. He holds a variety of certifications, a bachelor’s degree in science with honors from the University of Melbourne, and is currently working toward the completion of a Ph.D in Philos- ophy of Science. Contents at a Glance Learn at Your Own Pace Part 1 1 Introduction to ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3 2 Installing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1 3 Securing and Maintaining ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . .3-1 4 Installing and Managing ISA Server Clients . . . . . . . . . . . . . . . . . . . . . .4-1 5 Enabling Secure Internet Access with ISA Server 2004 . . . . . . . . . . . . .5-1 6 Implementing ISA Server Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1 7 Configuring ISA Server as a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 8 Implementing ISA Server Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-1 9 Integrating ISA Server 2004 and Exchange Server . . . . . . . . . . . . . . . . .9-1 10 Configuring Virtual Private Networks for Remote Clients and Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1 11 Implementing Monitoring and Reporting . . . . . . . . . . . . . . . . . . . . . . .11-1 12 Implementing ISA Server 2004, Enterprise Edition . . . . . . . . . . . . . . .12-1 Prepare for the Exam Part 2 13 Planning and Installing ISA Server 2004 (1.0) . . . . . . . . . . . . . . . . . . .13-3 14 Installing and Configuring Client Computers (2.0) . . . . . . . . . . . . . . . .14-1 15 Configuring and Managing ISA Server 2004 (3.0) . . . . . . . . . . . . . . . .15-1 16 Configuring Web Caching (4.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-1 17 Configuring Firewall Policy (5.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-1 18 Configuring and Man aging Remote Network Connectivity (6.0) . . . . . .18-1 19 Monitoring and Reporting ISA Server 2004 Activity (7.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19-1 vii viii Contents at a Glance Practices Installing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-29 Securing the Computer Running ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14 Securing ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-24 Maintaining ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-34 Configuring SecureNAT and Web Proxy Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-25 Installing and Configuring Firewall Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-43 Configuring ISA Server as a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-26 Configuring Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-38 Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-45 Configuring Access Rules for Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-56 Configuring Caching and Cache Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-26 Configuring Content Download Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-36 Configuring Multiple Networking on ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-20 Implementing Network Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33 Configuring Intrusion Detection and IP Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . .7-43 Configuring an HTTP Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-61 Configuring DNS for Web and Server Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-9 Configuring Web Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-29 Configuring Secure Web Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-42 Configuring Server Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-59 Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-71 Configuring ISA Server to Secure SMTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-19 Configuring ISA Server to Secure OWA Client Connections . . . . . . . . . . . . . . . . . . . . . .9-34 Configuring ISA Server to Secure Outlook Client Connections . . . . . . . . . . . . . . . . . . .9-47 Configuring Virtual Private Networking for Remote Clients . . . . . . . . . . . . . . . . . . . . 10-29 Configuring Virtual Private Networking for Remote Sites . . . . . . . . . . . . . . . . . . . . . 10-44 Configuring VPN Quarantine Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-61 Configuring and Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-24 Configuring Session and Connectivity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-36 Configuring ISA Server Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-54 Installing a Configuration Storage Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-48 Configuring Enterprise and Array Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-57 Installing ISA Server 2004, Enterprise Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-62 Contents at a Glance ix Tables Table 1-1: New Features in ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-19 Table 1-2: ISA Server Monitoring Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-36 Table 2-1: ISA Server 2004 Hardware Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15 Table 2-2: Msisaund.ini Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-26 Table 2-3: ISA Server Unattended Setup Parameters . . . . . . . . . . . . . . . . . . . . . . . . .2-28 Table 3-1: Services Required for ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-8 Table 3-2: Optional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9 Table 3-3: ISA Server Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-15 Table 3-4: System Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-18 Table 3-5: ISA Server Roles and Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-22 Table 4-1: Comparing the ISA Server Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-9 Table 4-2: Guidelines for Choosing ISA Server Clients . . . . . . . . . . . . . . . . . . . . . . . . . .4-9 Table 4-3: Configuring Network Settings for SecureNAT Clients . . . . . . . . . . . . . . . . .4-13 Table 4-4: ISA Server Firewall Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . .4-34 Table 4-5: Application.ini File Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-41 Table 5-1: ISA Server Internet Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-8 Table 5-2: Configuring Dial-Up Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-25 Table 5-3: Access Rule Element Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-29 Table 5-4: Protocol Element Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . .5-31 Table 5-5: Network Object Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-36 Table 5-6: Authentication Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-45 Table 5-7: Access Rule Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-49 Table 6-1: ISA Server Caching Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-8 Table 6-2: Advanced Caching Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . .6-16 Table 6-3: Cache Rule Options and the Default Cache Rule . . . . . . . . . . . . . . . . . . . .6-18 Table 6-4: Configuring Content Retrieval Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-20 Table 6-5: Configuring Content Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-21 Table 6-7: Configuring HTTP Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-23 Table 6-8: Configuring FTP Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-23 Table 6-9: Configuring Download Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-32 Table 6-10: Configuring Content Download Job Details . . . . . . . . . . . . . . . . . . . . . . . .6-34 Table 6-11: Configure Content Download Job Caching . . . . . . . . . . . . . . . . . . . . . . . .6-35 Table 7-1: ISA Server Default Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-15 x Contents at a Glance Table 7-2: ISA Server Default Network Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-18 Table 7-3: Firewall Policies Applied by the Internet-Edge Template . . . . . . . . . . . . . . .7-29 Table 7-4: ISA Server Intrusion-Detection Options . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-37 Table 7-5: Configuring HTTP Policy General Properties . . . . . . . . . . . . . . . . . . . . . . . .7-51 Table 7-6: HTTP 1.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-52 Table 7-7: How ISA Server Evaluates Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-54 Table 7-8: Application Signatures for Common Applications . . . . . . . . . . . . . . . . . . . .7-60 Table 8-1: Web Publishing Rule Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . .8-13 Table 8-2: Web Site Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-24 Table 8-3: Server Publishing Rule Configuration Options . . . . . . . . . . . . . . . . . . . . . . .8-48 Table 8-4: Port Override Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-51 Table 9-1: Supported SMTP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-8 Table 9-2: Configuring the SMTP Message Screener . . . . . . . . . . . . . . . . . . . . . . . . . .9-13 Table 9-3: RPC over HTTP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-44 Table 10-1: Comparing PPTP and L2TP/IPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-8 Table 10-2: Site-to-Site VPN Configuration Components . . . . . . . . . . . . . . . . . . . . . 10-33 Table 10-3: Comparing Site-to-Site Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . 10-35 Table 10-4: Remote-Site VPN Gateway Configuration Components . . . . . . . . . . . . . 10-43 Table 11-1: ISA Server Monitoring Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-4 Table 11-2: ISA Server Management Console Dashboard Nodes . . . . . . . . . . . . . . . . .11-6 Table 11-3: ISA Server Performance Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10 Table 11-4: Alert Event Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-19 Table 11-5: Configuring an Alert Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-21 Table 11-6: Session Filtering Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-32 Table 11-7: Connectivity Monitoring Configuration Options . . . . . . . . . . . . . . . . . . . 11-35 Table 11-8: ISA Server Log Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-42 Table 11-9: Configuring the IS A Server Log Summaries . . . . . . . . . . . . . . . . . . . . . . 11-49 Table 12-1: ISA Server Enterprise Edition Unattended Installation Files . . . . . . . . . 12-62 Troubleshooting Labs Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39 Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-62 Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-71 Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-66 Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-76 Troubleshooting Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-50
Description: