00a mcse FrontMatter 6/5/01 3:26 PM Page i Exam 70-227 MCSE ISA Server 2000 T R A I N I N G G U I D E Roberta Bragg 00a mcse FrontMatter 6/5/01 3:49 PM Page ii ii MCSE TRAINING GUIDE (70-227) ISA SERVER 2000 MCSE TRAINING GUIDE (70-227): PUBLISHER David Dwyer INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT INTERNET SECURITY AND ASSOCIATE PUBLISHER Al Valvano ACCELERATION SERVER 2000, ENTERPRISE EDITION EXECUTIVE EDITOR Stephanie Wall Copyright 2002 by New Riders Publishing MANAGING EDITOR First Printing: July 2002 Gina Brown All rights reserved. No part of this book may be reproduced or trans- PRODUCT MARKETING MANAGER mitted in any form or by any means, electronic or mechanical, includ- Stephanie Layton ing photocopying, recording, or by any information storage and PUBLICITY MANAGER retrieval system, without written permission from the publisher, except Susan Nixon for the inclusion of brief quotations in a review. ACQUISITIONS EDITORS International Standard Book Number: 0-7357-1092-9 Jeff Riley Deborah Hittel-Shoaf Library of Congress Catalog Card Number: 00110877 DEVELOPMENT EDITOR 05 04 03 02 01 7 6 5 4 3 2 1 Christopher Morris Interpretation of the printing code: The rightmost double-digit num- MEDIA DEVELOPER ber is the year of the book’s printing; the rightmost single-digit num- Jay Payne ber is the number of the book’s printing. For example, the printing TECHNICAL REVIEWERS code 01-1 shows that the first printing of the book occurred in 2001. Emmett Dulaney Composed in Garamond and MCPdigital by New Riders Publishing Richard D. Coile Printed in the United States of America PROJECT EDITOR Linda Seifert Trademarks INDEXER All terms mentioned in this book that are known to be trademarks or Brad Herriman service marks have been appropriately capitalized. New Riders MANUFACTURING COORDINATOR Publishing cannot attest to the accuracy of this information. Use of a Jim Conway term in this book should not be regarded as affecting the validity of BOOK DESIGNER any trademark or service mark. Louisa Klucznik Warning and Disclaimer COVER DESIGNER Aren Howell This book is designed to provide information about the ISA Server exam. Every effort has been made to make this book as complete and PROOFREADER as accurate as possible, but no warranty or fitness is implied. Sheri Replin COMPOSITION The information is provided on an as-is basis. The authors and New Gina Rexrode Riders Publishing shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or pro- grams that may accompany it. 00a mcse FrontMatter 6/5/01 3:26 PM Page iii iii Contents at a Glance 1 Introduction: What Is ISA Server?..................................................................................................9 Part I Installation and Upgrade 2 Plan Before Acting: Preinstallation Activities ..........................................................................45 3 Installing ISA Server............................................................................................................................71 4 Upgrading Microsoft Proxy 2.0 ................................................................................................109 Part II Configuring and Troubleshooting ISA Server Services 5 Outbound Internet Access ............................................................................................................133 6 ISA Server Hosting Roles ..............................................................................................................181 7 H.323 Gatekeeper ............................................................................................................................205 8 Dial-Up Connections and RRAS................................................................................................235 9 ISA Virtual Private Networks ......................................................................................................265 Part III Configuring, Managing, and Troubleshooting Policies and Rules 10 Firewall Configuration ..................................................................................................................309 11 Manage ISA Server in the Enterprise ......................................................................................337 12 Access Control in the Enterprise................................................................................................361 Part IV Deploying, Configuring, and Troubleshooting the Client Computer 13 Planning and Deploying Clients................................................................................................383 14 Installing and Configuring Client Options............................................................................399 00a mcse FrontMatter 6/5/01 3:26 PM Page iv iv MCSE TRAINING GUIDE (70-227) ISA SERVER 2000 Part V Monitoring, Analyzing, and Optimizing ISA Server 15 Monitoring Network Security and Usage................................................................................421 16 Performance Analysis and Optimization ................................................................................449 Part VI Final Review Fast Facts ..............................................................................................................................................477 Study and Exam Prep Tips............................................................................................................497 Practice Exam......................................................................................................................................503 Part VII Appendixes A Microsoft Proxy Server 2.0 Configuration Backup ............................................................531 B ISA Setup Log....................................................................................................................................539 C ISA Upgrade Log ..............................................................................................................................599 D Glossary ................................................................................................................................................611 E Overview of the Certification Process......................................................................................619 F What’s on the CD-ROM ..............................................................................................................625 G Using the ExamGear, Training Guide Edition Software ..................................................627 Index ......................................................................................................................................................653 00a mcse FrontMatter 6/5/01 3:26 PM Page v v Table of Contents Introduction 1 Notes on This Book’s Organization ........................................................................1 How This Book Helps You ....................................................................................2 What the Installing, Configuring, and Administrating Microsoft Internet Security and Acceleration (ISA) Server Exam (70-227) Covers ................................................4 Installing ISA Server ........................................................................................4 Configuring and Troubleshooting ISA Server Services ......................................4 Configuring, Managing, and Troubleshooting Policies and Rules ....................5 Deploying, Configuring, and Troubleshooting the Client Computer ..............5 Monitoring, Managing, and Analyzing ISA Server Use ....................................5 Hardware and Software You’ll Need ......................................................................6 Advice on Taking the Exam ....................................................................................7 New Riders Publishing ..........................................................................................7 1 Introduction: What Is ISA Server? 9 Introduction ........................................................................................................11 Architecture Overview ..........................................................................................12 ISA Server Clients ................................................................................................15 Web Proxy Clients ..........................................................................................15 Firewall Clients ................................................................................................15 SecureNAT Clients ..........................................................................................15 ISA Server Is a Multilayered Enterprise Firewall ..................................................16 Packet Filtering ................................................................................................17 Circuit-Level Filtering ....................................................................................17 Application-Level Filtering ..............................................................................17 Stateful Inspection ..........................................................................................18 Built-In Intrusion Detection ............................................................................18 System Hardening Templates ..........................................................................19 Virtual Private Networking ..............................................................................19 ISA Server Is a High-Performance Web Caching Server ......................................19 Reverse Caching ..............................................................................................20 Forward Caching ............................................................................................21 Scheduled Caching ..........................................................................................22 00a mcse FrontMatter 6/5/01 3:26 PM Page vi vi MCSE TRAINING GUIDE (70-227) ISA SERVER 2000 Distributed Caching ........................................................................................23 Hierarchical Caching or Chaining ..................................................................24 ISA Server Hosting Services ..................................................................................27 ISA Server Provides Integrated, Centralized Management and Control ................28 Enterprise or Standard Editions ......................................................................29 Firewall, Caching, or Integrated Modes ..........................................................30 Policy-Based Rules ..........................................................................................31 Tiered Policies: Both Enterprise and Array Level ............................................35 Bandwidth Control ..........................................................................................36 Logging and Reporting ....................................................................................37 Review Questions ............................................................................................39 Exam Questions ..............................................................................................39 Answers to Review Questions ..........................................................................40 Answers to Exam Questions ............................................................................40 Part I: Installation and Upgrade 2 Plan Before Acting: Preinstallation Activities 45 Introduction ........................................................................................................47 Network Design and Planning ............................................................................47 Network Size ..................................................................................................48 User Needs ......................................................................................................48 Installation Options ........................................................................................48 ISA Server Mode and Array Considerations ....................................................49 Active Directory Integration Needs ................................................................50 Interoperation with and Requirements for Other Services ..............................51 Making Hardware Choices ..............................................................................53 Client Considerations ....................................................................................56 Windows 2000 Installation and Configuration ....................................................57 Preinstallation Network Configuration ................................................................58 Server Placement ............................................................................................58 Verify Network Connectivity ..........................................................................58 Verify Internet Connectivity ..........................................................................62 Verify Name Resolution ..................................................................................63 Exercises ..........................................................................................................65 Review Questions ............................................................................................65 Exam Questions ..............................................................................................65 Answers to Review Questions ..........................................................................67 Answers to Exam Questions ............................................................................68 00a mcse FrontMatter 6/5/01 3:26 PM Page vii vii 3 Installing ISA Server 71 Introduction ........................................................................................................74 Installation Processes Common to Several Configurations ....................................74 Constructing and Modifying the Local Address Table (LAT) ..........................75 Configuring the Cache ....................................................................................77 ISA Server Installation ..........................................................................................79 Installation Defaults ........................................................................................80 Standard Edition Generic Instructions ............................................................81 Enterprise Edition ..........................................................................................83 Installing the ISA Server Schema in the Active Directory ..............................83 Install ISA Server Enterprise Edition ..............................................................85 Unattended Setup ............................................................................................91 Installing Additional ISA Servers in an Array ..................................................93 Troubleshooting the Installation ..........................................................................95 Failed Installation ............................................................................................95 Was Installation Successful? ............................................................................97 Uninstalling ISA Server ........................................................................................99 Exercises ........................................................................................................101 Review Questions ..........................................................................................103 Exam Questions ............................................................................................104 Answers to Review Questions ........................................................................107 Answers to Exam Questions ..........................................................................108 4 Upgrading Microsoft Proxy 2.0 109 Introduction ......................................................................................................111 Reasons for Upgrading ......................................................................................111 The Migration Process ........................................................................................112 Back Up the Proxy Server Configuration ......................................................114 Stop and Disable Proxy Server Services ..........................................................115 Upgrade to Windows 2000 and Install ISA Server ........................................116 Review the Setup Logs ..................................................................................117 Array Migration ............................................................................................118 Proxy Configuration Migration Results ..............................................................120 Predetermined Migration Effects ..................................................................120 Impact of Proxy 2.0 Array Membership and ISA Installation Selections on Migration ..............................................................................121 Post Migration Necessities ............................................................................122 Migrating the Mindset ......................................................................................123 00a mcse FrontMatter 6/5/01 3:26 PM Page viii viii MCSE TRAINING GUIDE (70-227) ISA SERVER 2000 Exercises ........................................................................................................126 Review Questions ..........................................................................................126 Exam Questions ............................................................................................126 Answers to Review Questions ........................................................................128 Answers to Exam Questions ..........................................................................129 Part II: Configuring and Troubleshooting ISA Server Services 5 Outbound Internet Access 133 Introduction ......................................................................................................136 Post Installation Default Settings ........................................................................136 ISA Server Object Permissions ......................................................................137 Service Permissions ........................................................................................141 Local Access Table (LAT) ..............................................................................142 Policy Settings ..............................................................................................142 Packet Filtering ..............................................................................................143 Routing ........................................................................................................144 Caching ........................................................................................................145 Publishing ......................................................................................................145 Alerts ............................................................................................................146 Configuring Access Rules and Tools ..................................................................146 Understanding and Configuring Outgoing Web Request Properties ..............147 How Are Rules Evaluated? ............................................................................149 Creating Policy Elements ..............................................................................149 Configuring Site and Content Rules ..............................................................153 Configuring Protocol Rules ..........................................................................154 Authentication and Rules ..............................................................................158 Custom HTML Error Messages ....................................................................158 Configuring a Single System Versus an Array ....................................................160 Configuring Caching ..........................................................................................161 Standalone Cache ..........................................................................................161 Configuring Hierarchical Access ....................................................................161 Configuring CARP ........................................................................................163 Configuring Network Settings ............................................................................163 Bandwidth Rules ..........................................................................................164 LAT and Local Domain Tables ......................................................................166 Configuring Routing Rules ............................................................................167 Configuring ISA Server Chains ......................................................................168 00a mcse FrontMatter 6/5/01 3:26 PM Page ix ix Troubleshooting Client Access Problems ............................................................169 A Protocol Rule Exists for a Protocol Definition, but Clients Cannot Use It 169 Clients Can’t Use a Specific Protocol ............................................................170 Clients Cannot Browse External Web Sites ....................................................170 Clients Receive a 502 Error Every Time They Attempt to Browse the Web ..171 Clients Can Still Use a Protocol After the Rule for this Protocol Has Been Disabled ......................................................................................171 All Other Errors Including Intermittent Issues ..............................................172 Exercises ........................................................................................................174 Answers to Exercises ......................................................................................175 Review Questions ..........................................................................................175 Exam Questions ............................................................................................177 Answers to Review Questions ........................................................................179 Answers to Exam Questions ..........................................................................179 6 ISA Server Hosting Roles 181 Introduction ......................................................................................................183 Configuring ISA Server for Web Publishing ......................................................184 Configuring Destination Sets ........................................................................186 Configuring Listeners ....................................................................................186 Creating Web Publishing Rules ....................................................................187 Enabling CARP ............................................................................................188 Configuring Server Certificates and Authentication Methods ........................189 Redirecting HTTP and SSL Requests ............................................................190 Configuring ISA Server for Server Proxy ............................................................193 DNS and Mail Proxy ....................................................................................194 The Mail Server Security Wizard ..................................................................194 Content Filtering ..........................................................................................195 Configuring ISA Server for Server Publishing ....................................................197 Creating Server Publishing Rules ..................................................................197 Publishing Servers on a Perimeter Network ..................................................199 Exercises ........................................................................................................201 Review Questions ..........................................................................................201 Exam Questions ............................................................................................201 Answers to Review Questions ........................................................................203 Answers to Exam Questions ..........................................................................203 00a mcse FrontMatter 6/5/01 3:26 PM Page x x MCSE TRAINING GUIDE (70-227) ISA SERVER 2000 7 H.323 Gatekeeper 205 Introduction ......................................................................................................208 What Is an H.323 Gatekeeper? ..........................................................................208 What Is the H.323 Protocol? ........................................................................209 Where Does T-120 Fit In? ............................................................................210 What’s the Difference Between a Gatekeeper and a Gateway? ......................211 How Does the Gatekeeper Work? ..................................................................211 H.323 Gatekeeper Limitations and Other Considerations ............................216 How to Add an H.323 Gatekeeper to ISA ........................................................217 Enabling and Configuring H.323 Protocol Access ........................................218 Configuring DNS ..........................................................................................220 Adding the H.323 Gatekeepers ....................................................................221 Enabling Fast Kernel Mode and Data Pumping ............................................222 Gatekeeper Administration ............................................................................222 Configuring Gatekeeper Call Routing Rules ......................................................223 Configuring Destinations ..............................................................................224 Configuring Phone Number Rules ................................................................224 Configuring Email Address Rules ..................................................................225 Configure IP Address Rules ..........................................................................226 H.323 Gatekeeper Scenarios ..............................................................................227 Exercises ........................................................................................................231 Review Questions ..........................................................................................231 Exam Questions ............................................................................................232 Answers to Review Questions ........................................................................233 Answers to Exam Questions ..........................................................................233 8 Dial-Up Connections and RRAS 235 Introduction ......................................................................................................238 Dial-on-Demand Connections ..........................................................................238 Configure Network and Dial-Up Connections ..............................................239 Create a Dial-Up Entry ................................................................................240 Create a Dial-Up Routing Rule ....................................................................240 Enable Dial-Up Entry in Firewall Chaining Configuration ..........................242 Managing and Limiting ISA Dial-Up Connections ......................................................................................243 Troubleshooting ISA Server Dial-Up Connections ............................................243 Routing and Remote Access Service Versus ISA Server ......................................245 Routing ........................................................................................................246 Connecting Remote Clients ..........................................................................246 Static Routes ..................................................................................................247