Instruction/ maintenance manual of the product 2004 Microsoft
Go to page of 263
ISA Server 2004 Configuration Guide For the latest information, please see http://www.microsoft.com/isaserver/.
Contents Chapter 1 How to Use the Guide Chapter 2 Installing Certificate Services Chapter 3 Installing and Configuring the Microsoft Internet Authentication Service Chapter 4 Installing and Configurin.
ISA Server 2004 Configuration Guide: How to Use the Guide Chapter 1 For the latest information, please see http://www.microsoft.com/isaserver/ ISA Serv er 2004 Configuration Guide 1.
ISA Serv er 2004 Configuration Guide 2 Introduction Welcome to the ISA Server 2004 Configuration Guide ! This guide was designed to help you get started using ISA Server 2004 firewalls to protect your network and allow secure remote access to your network.
ISA Serv er 2004 Configuration Guide 3 Lear n about ISA Ser ver 2004 f eatures ISA Server 2004 is designed to protect your net work from intruders located on the inside of your network and those outside of your network. The ISA Server 2004 firewall does this by controlling what communications can pass through t he firewall.
ISA Serv er 2004 Configuration Guide 4 Practice configuring the ISA Ser v er 2004 fir ewall The firewall is your first line of defense against Internet attackers.
ISA Serv er 2004 Configuration Guide 5 T he ISA Ser ver 2004 Configuration Guide Lab Configuration We will use a lab network configuration to demonstrate the capabilities and features of ISA Server 2004 in this ISA Server 2004 Configuration Guide . We recommend that you set up a test lab with a similar configuration.
RA DIUS DHCP DNS WINS D om ain C ont roller Ent erpris e C A Ex c hange 2003 Server IIS 6.0 Cachi ng- only DNS 172. 16 . 0. 0/ 16 1 0 . 0.0 .0 / 2 4 IP : 1 7 2 .1 6 .0 .2 /1 6 DG : 1 7 2 . 1 6 . 0 .1 D N S : 17 2. 16. 0. 2 IP : 1 0 .0 .0. 2 /2 4 DG : 1 0 .
ISA Serv er 2004 Configuration Guide 7 Lab Network Details Setting TRIHOMELAN1 CLIENT IP Address 172.16.0.2 10.0.0.3 Default Gatew ay 10.0.0.1 10.0.0.1 DNS 10.
ISA Serv er 2004 Configuration Guide 8 5. On the Window s Server 2003 , Standard Edition Setup screen, select the Format the partition using the NTFS file system by using the up and down arrows on the keyboard. Then press ENTER. 6. Windows Setup formats the hard disk.
ISA Serv er 2004 Configuration Guide 9 Install and Configure DNS The next step is to install the Domain Naming System (DNS) server on the machine that will be the domain controller. This is required because the Active Directory requires a DNS server into which it registers domain-related DNS re cords.
ISA Serv er 2004 Configuration Guide 10 8. Expand the Forw ard Lookup Zones node and click on the msfirew all.org zone. Right click on the msfirew all.org and click New Host (A) . 9. In the New Host dialog box, enter the value EXCHANGE2003BE in the Name (uses parent domain name if blank) text box.
ISA Serv er 2004 Configuration Guide 11 17. Click Restart Now on the Active Directory Installation Wizard page. 18. Log on as Administrator after the machine restarts. Installing and Configuring Microsoft Exchange on the Domain Controller The machine is ready for installing Microsoft Exchange.
ISA Serv er 2004 Configuration Guide 12 8. Select the Create a New Exchange Organization option on the Installation Type page and click Next . 9. Accept the default name in the Organization Name text box on the Organization Name page, and click Next .
ISA Serv er 2004 Configuration Guide 13 (passw ord is sent in clear text) checkbox. Click Yes in the IIS Manager dialog box informing you that the password is sent in the clear . In the Default domain text box, enter the name of the Internal network domain, which is MSFIREWALL .
Conc lusion In this ISA Server 2004 Configuration Guide document we discussed the goals of this guide and suggested methods you can use to get the most out of this guide.
ISA Server 2004 Configuration Guide: Installing Certificate Services Chapter 2 For the latest information, please see http://www.microsoft.com/isaserver/ ISA Serv er 2004 Configuration Guide 15.
ISA Serv er 2004 Configuration Guide 16 Introduction Microsoft Certificate Services can be installed on the domain controller on the internal network and issue certificates to hosts within the internal network domain, as well as to hosts that are not members of the Internal network dom ain.
Install Inter net Infor mation Ser vices 6.0 The Certificate Authority’s Web enrollment site uses the Internet Information Services World Wide Publishing Service. Because Exc hange 2003 has already been installed on this machine, we will not need to manually insta ll the IIS Web services.
ISA Serv er 2004 Configuration Guide 18 Install Microsoft Cer tificate Ser vices in Enter prise CA Mode Microsoft Certificate Services will be inst alled in Enterprise CA mode on the domain controller. There are several advantages to in stalling the CA in enterprise mode versus standalone mode.
6. On the CA Identifying Information page, enter a name for the CA in the Common name for this CA text box. This should be the DNS host name for the domain controller.
7. If the same machine had been configured as a CA in the past, you will be presented with a dialog box asking if you wish to overwrit e the existing key. If you have already deployed certificates to hosts on your network, then do not overwrite the cu rrent key.
Conc lusion In this ISA Server 2004 Configuration Guide document we discussed the uses of a certificate authority and how to install an En terprise CA on the domain controller on the internal network.
ISA Server 2004 Configuration Guide: Installing and Configuring the Microsoft Internet Authentication Service Chapter 3 For the latest information, please see http://www.
ISA Serv er 2004 Configuration Guide 23 Introduction The Microsoft Internet Authentication Server (IAS) is an industry standard RADIUS server that can be used to authenticate users connecting to the ISA Server 2004 firewall machine.
Installing the Microsoft Inter net Authentication Ser vice The Microsoft Internet Authentication Service server is a RADIUS server. We will use the RADIUS server later in this ISA Server 2004 Configur.
Configuring the Microsof t Inter net Authentica tion Ser vice You need to configure the IAS server to work together with the ISA Server 2004 firewall computer so that they can communicate proper ly. At this time, we will configure the IAS Server to work with the ISA Server 2004 firewall.
4. Click the Verify button. In the Verify Client dialog box, the fully qualified domain name of the ISA Server 2004 firewall computer will appear in the Client text box. Click the Resolve button. If the RADIUS server is able to resolve the name, the IP address will appear in the IP address frame.
5. Click Next on the Name and Address page of the New RADIUS Client wizard. 6. On the Additional Information page of the wizard, use the default Client-Vendor entry, which is RADIUS Standard . Enter a password in the Shared secret text box and confirm the password in the Confirm shared secret text box.
8. Close the Internet Authentication Service console. Later in this ISA Server 2004 Configuration Guide series we will configure a RADIUS server entry in the Microsoft Internet Security and Acceleration Serv er 2004 management console and use that entry fo r Web and VPN client requests.
Conc lusion In this ISA Server 2004 Configuration Guide document we discussed the uses of a Microsoft Internet Authentication Server and how to install and configure the IAS server on the domain controller on the internal network. Later in this guide we will use this IAS server to authenticate incoming Web and VPN client connections.
ISA Server 2004 Configuration Guide: Installing and Configuring the Microsoft DHCP and WINS Server Services Chapter 4 For the latest information, please see http://www.
ISA Serv er 2004 Configuration Guide 31 Introduction The Windows Internet Name Service (WINS) enables machines to resolve NetBIOS names of hosts on remote networks. Machines configured as WINS clients register their names with the WINS server. WINS clients are also able to send name queries to a WINS server to resolve the names to IP addresses.
Installing the WINS Ser vice The Windows Internet Name Service (WINS) is used to resolve NetBIOS names to IP addresses. On modern Windows networks, the WINS service is not required. However, many organizations want to use the My Network Places applet to locate servers on the network.
ISA Serv er 2004 Configuration Guide 33 The WINS server is ready to accept NetBIOS name registrations immediately. The ISA Server 2004 firewall, the domain controller, and the inte rnal network clients are all configured to register with the WINS server in their TCP/IP Properties settings.
Configuring the DHCP Ser vice The Dynamic Host Configuration Protocol (DHCP) is used to automatically assign IP addressing information to internal network clients and VPN clients.
4. Right click on the server name in the left pane of the console and click the New Scope command. 5. Click Next on the Welcome to the New Scope Wizard page. 6. On the Scope Name page, enter a name for the scope in the Name text box and enter an optional description in the Description text box.
12. On the Domain Name and DNS Serv ers page, enter the domain name used on the internal network in the Parent domain text box. This is the domain name that will be used by DHCP clients to fully qualify unqualified names , such as the wpad entry that is used for Web Proxy and Firewall client autodiscovery.
s 13. On the WINS Servers page, enter the IP address of the WINS server in the IP address text box and click Add . In this example, the WINS server is located on the domain controller on the internal network, so we will enter 10.0.0.2 . Click Next . 14.
Conc lusion In this ISA Server 2004 Configuration Guide document we discussed the uses of the Microsoft WINS and DHCP servers, installed t he server services on the domain controller, and configured a scope on the DHCP server. Later in this guide we will see how the addition of the WINS and DHCP service help enhance the VPN client experience.
ISA Server 2004 Configuration Guide: Configuring DNS and DHCP Support for Web Proxy and Firewall Client Autodiscovery Chapter 5 For the latest information, please see http://www.
ISA Serv er 2004 Configuration Guide 40 Introduction The Web Proxy Autodiscovery Protocol (WPAD ) can be used to allow Web browsers and the Firewall client application to automatically discover the address of the ISA Server 2004 firewall.
Configure DHCP WP AD Suppor t The DHCP scope option number 252 can be used to automatically configure Web Proxy and Firewall clients. The Web Proxy or Firewall c lient must be configured as a DHCP client, and the logged on user must be a member of the lo cal administrators group or Power users group (for Windows 2000).
4. In the Value frame, enter the URL to the ISA Server 2000 firewall in the String text box. The format for this value is: http://ISAServername:Autodiscovery Port Number/w pad.dat The default autodiscovery port number is TCP 80. You can customize this value in the ISA Management console.
5. Right click the Scope Options node in the left pane of the console and click the Configure Options command. 6. In the Scope Options dialog box, scroll through the list of Available Options and put a checkmark in the 252 w pad check box. Click Apply and then click OK .
ISA Serv er 2004 Configuration Guide 44 Configure DNS WP AD Suppor t Another method that used to deliver autodisco very information to Web Proxy and Firewall clients is DNS. You can create a wpad alias entry in DNS and allow browser clients to use this information to automatically configure themse lves.
Create the Wpad Entr y in DNS The first step is to create a wpad alias entry in DNS. This alias (also known as a CNAME record) points to a Host (A) record for the ISA Server 2004 firewall. The Host (A) record resolves the name of the ISA Server 2004 firewall to the Internal IP address of the firewall.
4. In the Brow se dialog box, double click on the Forw ard Lookup Zone entry in the Records frame. 5. In the Brow se dialog box, double click on the name of your forward lookup zone in the Records frame.
6. In the Brow se dialog box, select the name of t he ISA Server 2000 firewall in the Records frame. Click OK . 7. Click OK in the New Resource Record dialog box.
8. The CNAME (alias) entry appears in the right pane of the DNS management console. 9. Close the DNS Management console. ISA Serv er 2004 Configuration Guide 48.
Configure the Client to Use the Full y Qualified wpad Alias The Web Proxy and Firewall client need to be able to resolve the name wpad . The Web Proxy and Firewall client configurations are not aware of the domain containing the wpad alias .
4. In the DNS Suffix and NetBIOS Computer Name dialog box, enter the domain name that contains your wpad entry in the Primary DNS suffix of this computer text box. The operating system will append this domain nam e to the wpad name before sending the DNS query to the DNS server.
Configure the Client Br owser to Use Autodisco v er y The next step is to configure the browser to use autodiscovery. To configure the Web browser to use autodiscovery to automatically configure itself to use the ISA Server 2000 firewall’s Web Proxy service: 1.
Conc lusion In this ISA Server 2004 Configuration Guide document we discussed the uses of a Microsoft Internet Authentication Server and how to install and configure the IAS server on the domain controller on the Internal network. Later in this guide, we will us e this IAS server to authenticate incoming Web and VPN client connections.
ISA Server 2004 Configuration Guide: Installing and Configuring a DNS Caching-only DNS Server on the Perimeter Network Segment Chapter 6 For the latest information, please see http://www.
ISA Serv er 2004 Configuration Guide 54 Introduction DNS servers allow client system s to resolve names to IP addresses. Internet applications need to know the IP address of a destination host before they can connect. A caching-only DNS server is a special type of DNS in that is it not authoritative for any domain.
Installing the DNS Ser v er Ser vice The first step is to install the DNS server se rvice on the perimeter network host. This machine will act as both a secure caching-only DNS server and a publicly accessible Web and SMTP relay machine.
Configuring the DNS Ser ver as a Secure Cac hing-onl y DNS Ser ver The DNS server on the perimeter network will be in direct contact with Internet hosts. These hosts can be DNS clients that query the perim eter network DNS server for addresses of publicly accessible domain resources.
4. Click on the Forw arders tab. Make sure there is not a checkmark in the Do not use recursion for this domain check box. If this option is selected, the caching-only DNS server cannot use the root hints list of the r oot Internet DNS server to resolve Internet host names.
6. Click the Monitoring tab. Put checkmarks in the A simple query against this DNS server and A recursive query to other DNS servers check boxes. Then click the Test Now button. Note in the Test results frame that the Simple Query shows a Pass , while the Recursive Query displays a Fail .
7. Click Apply and then click OK in the DNS server’s Properties dialog box. 8. Close the DNS management console. At this point, the caching-only DNS server is able to resolve Internet host names. Later, we will create Access Rules allowing hosts on the in ternal network to use the caching-only DNS server to resolve Internet host names.
Conc lusion In this ISA Server 2004 Configuration Guide document we discussed the uses of a caching- only DNS server and how to install and configure the Microsoft DNS server service.
ISA Server 2004 Configuration Guide: Installing ISA Server 2004 on Windows Server 2003 Chapter 7 For the latest information, please see http://www.microsoft.
ISA Serv er 2004 Configuration Guide 62 Introduction In this ISA Server 2004 Configuration Guide document we will install the ISA Server 2004 software onto the Windows Server 2003 computer we installed and configured in Chapter 1.
Installing ISA Ser v er 2004 Installing ISA Server 2004 on Windows Server 2003 is relatively straightforward. The major decision you make during setup is what IP addresses should be part of the Internal network.
7. On the Custom Setup page you can choose which components to install. By default, the Firew all Services and ISA Server Management options are installed.
9. In the Internal Network setup page, click the Select Netw ork Adapter button. 10. In the Select Network Adapter dialog box, remove the checkmark from the Add the follow ing private ranges … checkbox. Leave the checkmark in the Add address ranges based on the Window s Routing Table checkbox.
11. Click OK in the Setup Message dialog box informing you that the Internal network was defined, based on the Wi ndows routing table. 12. Click OK on the Internal network address ranges dialog box.
14. On the Firewall Client Connection Settings page, place checkmarks in the Allow non- encrypted Firewall client connections and Allow Firew all clients running earlier versions of the Firewall client softw are to connect to ISA Server checkboxes.
16. Click Install on the Ready to Install the Program page. 17. On the Installation Wizard Completed page, click Finish . 18. Click Yes in the Microsoft ISA Server dialog box informing you that the machine must be restarted.
Vi ewing the System P olicy By default, ISA Server 2004 does not allow outbound access to the Internet from any protected network and it does not allow Inter net hosts access the firewall or any networks protected by the firewall. However, a default fi rewall System Policy is installed that allows network management tasks to be completed.
Order number Name Action (Allow or Deny) Protocols From (source netw ork or host) To (destination netw ork or host) Condition (w ho or w hat the rule applies to) You may want to widen the Name column to get a quick view rule the rule descriptions. Notice that not all the rules are enabled.
5. Review the System Policy Rules and then hide the rules by clicking the Show/Hide System Policy Rules button in the console’s button bar. This is the depressed (pushed in) button seen in the figure below.
ISA Serv er 2004 Configuration Guide 72 Order Name Action Protocols From To Condition NetBIOS Session 3 Allow Remote Management using Terminal Server Allow RDP(Terminal Services) Remote Management Com.
ISA Serv er 2004 Configuration Guide 73 Order Name Action Protocols From To Condition Server Remote Gateway s 15 Allow Microsoft CIFS protocol from ISA Server to trusted servers Allow Microsoft CIFS(T.
ISA Serv er 2004 Configuration Guide 74 Order Name Action Protocols From To Condition to specified Microsoft Error Reporting sites sites 24 4 Allow SecurID protocol from ISA Server to trusted servers .
Bac king Up the Post-Installa tion Configur ation Perform the following steps to back up the post installation configuration: 1. Open the Microsoft Internet Security and Acceleration Serv er 2004 management console and right click on the server name in the left pane of the console.
4. Click OK in the Exporting dialog box when you see the The configuration w as successfully backed up message. Make sure to copy the backup file to another location on the network after the backup is complete.
Conc lusion In this ISA Server 2004 Configuration Guide document we discussed the procedures required to install the ISA Server 2004 so ftware on a Windows Server 2003 computer. We also examined the firewall System Policy that is created during installation.
ISA Server 2004 Configuration Guide: Backing Up and Restoring Firewall Configuration Chapter 8 For the latest information, please see http://www.microsoft.
ISA Serv er 2004 Configuration Guide 79 Introduction ISA Server 2004 includes a new and enhanced backup and restore feature set. In ISA Server 2000, the integrated backup utility could back up the ISA Server 2000 firewall configuration. That backup file could be used to restore the configuration to the same installation on the same machine.
Bac king up the Fir ewall Configuration The ISA Server 2004 integrated backup utility ma kes saving the firewall configuration very easy. There are only a handful of steps requir ed to backup and restore the configuration. Perform the following steps to back up the entire firewall configuration: 5.
8. Click OK in the Exporting dialog box when you see the The configuration w as successfully backed up message. Make sure to copy the backup file to another location on the network after the backup is complete. The backup file should be stored off- line on media that supported NTFS formatting so that you can encrypt the file.
R estoring the Fir ewall Configuration from the Bac kup File You can use the backup file to restore the mach ine configuration. The restore can be to the same machine and same ISA Server 2004 firewall installation, the same machine and a new ISA Server 2004 firewall installation, or to a completely new machine.
4. Click OK in the Importing dialog box when it shows the The configuration w as successfully restored message. 5. Click Apply to save the changes and update firewall policy.
The restored configuration is now fully functi onal and the previous firewall policies are now applied. ISA Serv er 2004 Configuration Guide 84.
Expor ting Firewall P olicy You may not always want or need to export all aspects of the ISA Server 2004 firewall configuration. For example, you may have problems with your Access Policies and want someone to view them for you.
3. In the Set Passw ord dialog box, enter a password and confirm the password in the Confirm passw ord text box. Click OK . 4. Click OK in the Exporting dialog box when you see the message Successfully exported the configuration .
Impor ting Firewall P olic y The export file can be imported to the same machine or another machine that has ISA Server 2004 installed. In the following example, we will import the VPN Clients settings that were exported in the previous exercise. Perform the following steps to import the VPN Clients settings from the export file: 1.
4. Click OK in the Importing Virtual Private Networks (VPN) dialog box when you see the Successfully imported the configuration message. 5. Click Apply to apply the changes and update firewall policy. 6. Click OK in the Apply New Configuration dialog box when you see the message Changes to the configuration w ere successfully applied .
Conc lusion In this ISA Server 2004 Configuration Guide section, we discussed the procedures for backing up and restoring the ISA Server 2004 fire wall configuration. We also explored the export and import feature that allows you to back up selected elements of the firewall configuration.
ISA Server 2004 Configuration Guide: Simplifying Network Configuration with Network Templates Chapter 9 For the latest information, please see http://www.
ISA Serv er 2004 Configuration Guide 91 Introduction The ISA Server 2004 firewall comes with a number of pre-built Network Templates you can use to automatically configure Networks, Network Rules and Access Rules. The Network Templates are designed to get you started quickly by creating a base configuration on which you can build.
ISA Serv er 2004 Configuration Guide 92 Scenario 1: T he Edge Fir ewall Configuration The Edge Firewall template configures the ISA Server 2004 firewall to have a network interface directly connected to the Internet and a second network interface connected to the Internal network.
ISA Serv er 2004 Configuration Guide 93 Firewall Policy Description access Server will prevent access from the Internet. The following access rules will be created: 1. Allow all protocols from Internal Network and VPN Clients Network to External Network (Internet) 2.
3. Click Next on the Welcome to the Netw ork Template Wizard page. ISA Serv er 2004 Configuration Guide 94.
4. On the Export the ISA Server Configuration page, you are offered the opportunity to export the current configuration. You can return the ISA Server 2004 firewall to the state it was in prior to using the Edge Firewall network template using this file.
5. On the Internal Netw ork IP Addresses page, you define the Internal network addresses. The current Internal network address range is automatically included in the Address ranges list. You can use the Add , Add Adapter and Add Private button to expand this list of addresses.
6. On the Select a Firew all Policy page you can select a firewall policy and a collection of Access Rules. In this example, we want to allow Internal network clients access to all protocols to access all sites on the Internet.
7. Review your settings and click Finish on the Completing the Netw ork Template Wizard page. 8. Click Apply to save the changes and update firewall policy. 9. Click OK in the Apply New Configuration dialog box after you see the message Changes to the configuration w ere successfully applied .
ISA Serv er 2004 Configuration Guide 99.
ISA Serv er 2004 Configuration Guide 100 Scenario 2: T he 3-Le g P erimeter Configuration The 3-leg perimeter configuration creates net work relationships and Access Rules to support an Internal network segment and a perimeter (DMZ) network segment.
ISA Serv er 2004 Configuration Guide 101 Firewall Policy Description The following access rules will be created: 1. Allow HTTP, HTTPS, FTP fr om Internal Network and VPN Clients Network to the Ex ternal Network (Internet) 2. Allow DNS from Internal Network, VPN Clients Network and Perimeter Network to External Network (Internet) 3.
3. Click Next on the Welcome to the Netw ork Template Wizard page. 4. On the Export the ISA Server Configuration page, you can choose to export your current configuration. This is useful if you find that you need to return the firewall to its current settings in the event that the temp late settings do not meet your needs.
5. On the Internal Netw ork IP Addresses page, you set the addresses that represent the Internal network. The addresses included in the current Internal network are automatically included in the Address ranges list. We will not add any addresses to the Internal network.
6. You configure the addresses that compri se the perimeter network segment on the Perimeter Netw ork IP Addresses page. The wizard does not make any assumptions regarding what addresses should be included in the perimeter network, so the Address ranges list is empty.
7. Click the Add Adapter button. In the Netw ork adapter details dialog box, put a checkmark in the DMZ check box. Note that the names t hat we previously set for network adapters appear in this list. Renaming network adapters helps you identify the network association of that adapter.
8. The wizard automatically enters an address range to the Address ranges list based on the Windows routing table. Click Next . 9. On the Select a Firew all Policy page, you select a firewall policy that will create network relationships between the Internet, perimet er and Internal networks and also creates Access Rules.
10. Review the settings on the Completing the Netw ork Template Wizard and click Finish . 11. Click Apply to save the changes and update firewall policy. 12. Click OK in the Apply New Configuration dialog box after you see the message Changes to the configuration w ere successfully applied .
14. Expand the Configuration node in the left pane of the Microsoft Internet Security and Acceleration Server 2004 management console. Click on the Netw orks node. Here you see a list of networks, including the Perimeter network created by the template.
16. In the Perimeter Configuration Properties dialog box, click on the Source Networks tab. You can see in the This rule applies to traffic from these sources list the Internal , Quarantined VPN Clients and VPN Clients networks listed as source networks.
18. Click the Network Relationship tab. The default setting is Netw ork Address Translation (NAT) . This is a slightly higher security configuration because it hides the addresses of the Internal network clients that connect to perim eter network hosts.
19. Click Apply and then click OK . 20. Click Apply to save the changes and update the firewall policy. 21. Click OK in the Apply New Configuration dialog box after you see the message Changes to the configuration w ere successfully applied .
Conc lusion In this ISA Server 2004 Configuration Guide chapter, we discussed how you can use the Edge Firewall and 3-Leg Perimeter network templa tes to simplify initial configuration of network addresses, Network Rules and Access Rules.
ISA Server 2004 Configuration Guide: Configuring ISA Server 2004 SecureNAT, Firewall and Web Proxy Clients Chapter 10 For the latest information, please see http://www.
ISA Serv er 2004 Configuration Guide 114 Introduction An ISA Server 2004 client is a machine that connects to a resource by going through the ISA Server 2004 firewall. In general, the ISA Server 2004 client is located on an Internal or perimeter network segment and connects to the Internet through the ISA Server 2004 firewall.
ISA Serv er 2004 Configuration Guide 115 • Configuring the ISA Server 2004 Web Proxy client • Configuring the ISA Server 2004 Firewall client.
ISA Serv er 2004 Configuration Guide 116 Configuring the SecureNA T Client The SecureNAT client configuration is simple . The only requirement is that the machine be configured with a default gateway that routes Internet-bound requests through the ISA Server 2004 firewall machine.
5. Click OK in the Local Area Connection Properties dialog box. 6. Confirm the new IP addre ss assignment by using the ipconfig command. Click Start and Run . In the Open text box, enter cmd . 7. In the Command Prompt window, enter ipconfig /all and press ENTER.
8. Close the Command Prompt window. Return to the TCP/IP Properties dialog box and change the CLIENT machine to use a static IP address again. The IP address is 10.0.0.4 ; the subnet mask is 255.255.255.0 ; the default gateway is 10.0.0.1 , and the DNS server address is 10.
ISA Serv er 2004 Configuration Guide 119 Configuring the W eb Pro xy Client The Web Proxy client configuration requires that the Web browser be set to use the ISA Server 2004 firewall as its Web Proxy server. T here are several ways to configure the Web browser as a Web Proxy client.
Enter the TCP port number that t he Web Proxy filter lists on the Port text box, which is by default 8080 . Click OK in the Local Area Netw ork (LAN) Settings dialog box. 4. Click OK in the Internet Properties dialog box. The Web browser is now confi gured as a Web Proxy client.
ISA Serv er 2004 Configuration Guide 121 Configuring the Firewall Client The Firewall client software enables you to cont rol Internet access on a per user/group basis for all Winsock (TCP or UDP) connections to the Internet.
7. Click Install on the Ready to Install the Program page. 8. Click Finish on the Installation Wizard Completed page. You can now install the Firewall client softwar e from the Firewall client share on the domain controller. Perform the following steps to install the Firewall client software: 1.
5. Click Install on the Ready to Install the Program page. 6. Click Finish on the Install Wizard Completed page. The next step is to configure Firewall client support for the Internal network. Perform the following steps on the ISA Server 2004 firewall computer: 1.
3. Click on the Auto Discovery tab. Place a checkmark in the Publish automatic discovery information check box. Leave the default port as 80 . Click Apply and OK .
4. Click Apply to save the changes and update the firewall policy. 5. Click OK in the Apply New Configuration dialog box. We can now configure the Firewall client. Perf orm the following steps on the client computer on the Internal network: 1. At the CLIENT computer, double click on the Firewall client icon in the system tray.
3. Click the Detect Now button. The name of the ISA Server 2004 firewall computer will appear in the Detecting ISA Server dialog box when the client finds the ISA Server 2004 firewall.
4. Confirm that there is a checkmark in the Enable Web brow ser automatic configuration checkbox and click the Configure Now button. Note that based on the settings we created on the ISA Server 2004 firewall, the browser has been automatically configured.
5. Click Apply and then click OK in the Microsoft Firewall Client for ISA Server 2004 dialog box. The machine is now configured as a Firewall client and can access the Internet in its role as a Firewall client based on the Access Rules c onfigured on the ISA Server 2004 firewall.
Conc lusion In this ISA Server 2004 Configuration Guide section we discussed the various ISA Server 2004 client types and the features provided by each client. After discussing the types of ISA Server 2004 clients, we went over the procedures required to install and configure each client type.
ISA Server 2004 Configuration Guide: Configuring ISA Server 2004 Access Policy Chapter 1 1 For the latest information, please see http://www.microsoft.
ISA Serv er 2004 Configuration Guide 131 Introduction The ISA Server 2004 firewall controls w hat communications move between networks connected to one another via the firewall.
ISA Serv er 2004 Configuration Guide 132 Rule Element Value Order (priority) 1 Action Allow Protocols HTTP and FTP (download). From/Listener Internal Network.
Create a User Account The first step is to create a user account to which we can later assign limited Internet access privileges. In practice, the user account can be created in the Active Directory or on the local user database on the firewall computer.
5. Click Next on the Create an Exchange mailbox page. 6. Click Finish on the last page of the New User Wizard. ISA Serv er 2004 Configuration Guide 134.
Disable the Access Rules created by the Netw or k T emplate The next step is to disable the Access Rules created by the Network Template. In this example, we disable the Access Rules creat ed by the 3-Leg perimeter template. You can perform a similar procedure if you used the Front -end firewall Network Template.
ISA Serv er 2004 Configuration Guide 136.
Create an Access R ule Limiting Pr otocols and Sites User s Can Access The first Access Rule will limit users access to only the HTTP and HTTPS protocols. In addition, the users will only be able to use these protocols when accessing Microsoft operated Web properties.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we will call the rule Limited Users Web Access . Click Next . 3. On the Rule Action page, select Allow and click Next . 4.
5. In the Add Protocols dialog box, double click on the HTTP and HTTPS protocols. Click Close . 6. Click Next on the Protocols page. ISA Serv er 2004 Configuration Guide 139.
7. On the Access Rule Sources page, click Add . In the Add Netw ork Entities dialog box, click on the Netw orks folder. Double click on the Internal network, and click Close .
8. Click Next on the Access Rule Sources page. 9. On the Access Rule Destinations page, click Add . On the Add Netw ork Entities dialog box, click the New menu, and click Domain Name Set . 10. In the New Domain Name Set Policy Element dialog box, click New .
11. In the Add Network Entities dialog box, click on the Domain Name Sets folder and then double click on the Microsoft entry. Click Close . ISA Serv er 2004 Configuration Guide 142.
12. On the User Sets page, select All Users entry from the This rule applies to request from the follow ing user sets list, and click Remove . Click Add . 13. In the Add Users dialog box, click the New menu. 14. On the Welcome to the New User Sets Wizard page, enter a name for the User Set in the User set name text box.
18. In the Select Users or Groups dialog box, enter User2 in the Enter the object names to select text box and click Check Names . When the Active Directory finds the user name, it will be underlined. Click OK . 19. Click Next on the Users page. 20. Click Finish on the Completing the New User Set Wizard page.
Create an Access R ule Pr o viding Administr a tor s Greater Access to Protocols and Sites Network administrators require a higher level of Internet access than other users on the network. However, even network administrators should be restrained from protocols that can lead to a significant risk of network compromise.
5. In the Add Protocols dialog box, click on the Instant Messaging folder. Double click on the IRC protocol. Click Close . ISA Serv er 2004 Configuration Guide 146.
6. Click Next on the Protocols page. 7. On the Access Rule Sources page, click Add . In the Add Netw ork Entities dialog box, click on the Netw orks folder. Double click on the Internal entry and click Close . 8. On the Access Rule Sources page, click Next .
17. Click Next on the Users page. 18. Click Finish on the Completing the New User Set Wizard page. 19. In the Add Users dialog box, double click on the Administrators entry, and click Close . 20. Click Next on the User Sets page. 21. Click Finish on the Completing the New Access Rule Wizard page.
Create a DNS Ser v er Access Rule Allo wing Inter nal Networ k DNS Ser v er s Access to Inter net DNS Ser v er s We use a DNS server located on the Internet net work to resolve Internet host names in our current scenario. This DNS server must be able to resolve Internet host names by contacting other DNS servers located on the Internet.
6. Click Next on the Protocols page. 7. On the Access Rule Sources page, click Add . In the Add Netw ork Entities dialog box, click the New menu, then click the Computer Set command. 8. In the New Computer Set Rule Element dialog box, click Add . Click the Computer option.
9. In the New Computer Rule Element dialog box, enter a name for the DNS server in the Name text box. In this example, we’ll name the first DNS server DNS1 . Enter the IP address of the DNS server in the Computer IP Address text box. Click OK . 10. Click OK in the New Computer Set Rule Element dialog box.
12. Click Next on the Access Rule Sources page. 13. On the Access Rule Destinations page, click Add . Click the Networks folder and double click on the External entry. Click Close . 14. Click Next on the Access Rule Destinations page. 15. On the User Sets page, accept the default entry, All Users , and click Next .
Use HTTP P olicy to Pre v ent Access to Suspect We b Sites You can block access to Web sites based on virtually any component of the HTTP communication using ISA Server 2004 HTTP policy. For example, you might want to prevent access to all Web sites that contain a referenc e to the popular file-sharing application, Kaaza.
6. Click Apply and OK in the Configure HTTP policy for rule dialog box. ISA Serv er 2004 Configuration Guide 154.
7. Repeat the preceding steps for the Limited Access Web Users rule. 8. Click Apply to save the changes and update firewall policy. 9. Click OK in the Apply New Configuration dialog box.
T est the Access Rules Now the we have an ISA Server 2004 Access Polic y in place, we can test the policy. Perform the following steps to test Access Policy: 1.
8. Log off the CLIENT machine and then log on as Administrator . 9. Open the Web browser and enter www.microsoft.com in the Address bar of Internet Explorer and press ENTER . The Microsoft Web site appears. 10. Enter www.isaserver.org in the Address bar of Internet Explorer and press ENTER.
Conc lusion In this ISA Server 2004 Configuration Guide section, we discussed the variety of methods you can use to control outbound access to the Internet using ISA Server 2004 Access Rules. In the walkthroughs, you created Access Rules t hat controlled access to specific Web sites and protocols based on user and group membership .
ISA Server 2004 Configuration Guide: Publishing a Web and FTP Server on the Perimeter Network Chapter 12 For the latest information, please see http://www.
ISA Serv er 2004 Configuration Guide 160 Introduction ISA Server 2004 firewalls enable you to publish resources located on protected networks so external users can access those resources.
Configure the Web Site The first step is to configure the Web site on the perimeter network segment. In a production environment, the Web site will already be confi gured and be ready to publish. In this current example, we need to create a default Web site document and set a few parameters so that we can test it successfully.
6. Use the Move Up button to move the default.txt entry to the top of the list. ISA Serv er 2004 Configuration Guide 162.
7. Click Apply ; then click OK in the Default Web Site Properties dialog box. 8. Right click the server name in t he left pane of the console and point to All Tasks . Click Restart IIS . 9. Select Restart Internet Services on TRIHOMEDMZLAN1 in the Stop/Start/Restart dialog box and click OK .
ISA Serv er 2004 Configuration Guide 164 11. Click Start and Window s Explorer . 12. Navigate to the C:Inetpub wwwr oo t folder. Click the File menu, point to New and click Text Document . 13. Double click the New Text Document.txt entry in the right pane of the console.
Configure the FTP Site The next step is to configure the FTP site so that it is ready to be published. You will set the IP address the FTP site listens on and configure me ssages for the FTP site to return to users connecting to the site. In addition, you will enable users to upload files to the FTP site.
6. Click on the Home Directory tab. On the Home Directory tab, put a checkmark in the Write text box. Note that in a production env ironment you should be very careful about allowing write access to FTP sites. Inte rnet intruders can take advantage of poorly- secured FTP sites and store illegal material on your site.
7. Click Apply and OK in the Default FTP Site Properties dialog box. 8. Right click the server name in t he left pane of the console and point to All Tasks . Click Restart IIS . 9. Select the Restart Internet Services on TRIHOMEDMZLAN1 entry in What do you w ant IIS to do? and click OK .
Disable the Custom Rules and Enable the T emplate Created Ru les In the last chapter in this ISA Server 2004 Configuration Guide , we created Access Rules that allowed for user/group-based access cont rol for outbound connections. We now want to disable those rules and use the rules that the 3-Leg Perimeter Network Template Wizard created.
6. With the two Access Rules still selected, click the blue, up-pointing arrow in the console button bar to move the rules to the top of the list. 7. Click Apply to save the changes and update firewall policy. 8. Click OK in the Apply New Configuration dialog box.
ISA Serv er 2004 Configuration Guide 170 Create the W eb Publishing R ule You’re now ready to create the Web Publishing Rule. The Web Publishing Rule will configure the ISA Server 2004 firewall to listen for inco ming requests for your Web site.
6. On the Public Name Details page, select This domain name (type below ) in the Accept requests for list. In the Public name text box, enter the name that external users will use to access the site. In this example we will use the name perimeter.msfirew all.
7. On the Select Web Listener page, click New . 8. On the Welcome to the New Web Listener Wizard page, enter a name for the Web listener in the Web listener name text box. In this example we will name the listener Listener1 . Click Next . 9. On the IP Addresses page, put a checkmark in the External check box and click Address .
10. On the External Network Listener IP Selection page, select Specified IP addresses on the ISA Server computer in the selected network . In the Available IP Addresses list, select the IP address on the external interface of the ISA Server 2004 firewall and click Add .
12. On the Port Specification page, confirm that there is a checkmark in the Enable HTTP check box and that the default HTTP port number is 80 . Click Next .
13. Click Finish on the Completing the New Web Listener Wizard page. 14. The Listener1 entry now appears in the Web listener list. Click Next . 15. On the User Sets page, accept the default entry, All Users , and click Next . 16. Click Finish on the Completing the New Web Publishing Rule Wizard page.
3. Add the following line to the HOSTS file: 172.16.0.2 perimeter.msfirew all.org Press ENTER at the end of the line so that t he insertion point sits on the next line. Click File and then click Exit . In the Notepad dialog box, click Yes to indicate that you wish to save the changes.
ISA Serv er 2004 Configuration Guide 177.
Create the FTP Ser v er Publishing Rule Server Publishing Rules are simpler than Web Publishing Rules. A Server Publishing Rule forwards incoming requests to the published se rver and exposes them to application layer filters installed on the ISA Server 2004 firewall.
6. On the IP Addresses page, place a checkmark in the External check box. Click the Addresses button. 7. In the External Netw ork Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the selected network option.
T est the Connection We are now ready to test the connection. Inte rnet Explorer 6.0 can access both Web and FTP sites within the browser. The only difference in the current example is that you will specify http:// for the Web site and ftp:// for the FTP site.
x 7. If you would like to upload files to the site, return to the Microsoft Internet Security and Acceleration Server 2004 management console and right click on the Perimeter FTP Server publishing rule and click Configure FTP . 8. In the Configures FTP protocol policy dialog box, remove the checkmark from the Read Only check box.
9. Click Apply to save the changes and update the firewall policy. 10. Click OK in the Apply New Configuration dialog box. ISA Serv er 2004 Configuration Guide 182.
Conc lusion In this ISA Server 2004 Configuration Guide document we discussed two primary methods that allow external users access to resource s contained on protected networks. We first used a Web Publishing Rule to allow inbound access to resources contained in a perimeter network segment.
ISA Server 2004 Configuration Guide: Configuring the Firewall as a Filtering SMTP Relay Chapter 13 For the latest information, please see http://www.microsoft.
ISA Serv er 2004 Configuration Guide 185 Introduction One of the optional components included with the ISA Server 2004 is the SMTP Message Screener. The SMTP Message Screener can in spect SMTP messages at the application layer relay or reject messages based on par ameters you configure.
ISA Serv er 2004 Configuration Guide 186 R estor e the System to its P ost-installation Sta te In order to fully test the inbound and outbound SMTP relay configuration in this scenario, we will return the machine to its post-installation state so that other Access Rules do not interfere with the scenario development.
Assign a second IP addr ess to the Inter nal interface of the ISA Ser v er 2004 firewall We will add a second IP address to the Internal interface of the ISA Server 2004 firewall machine. This will allow us to publish the outbound SMTP relay on a different IP address than the inbound SMTP relay.
Install and Configure the SMTP Ser vice Install the IIS 6.0 SMTP service before t he ISA Server 2004 SMTP Message Screener. The SMTP service works together with the SM TP Message Screener to examine and block offending e-mail messages. Perform the following steps to inst all the IIS 6.
2. In the Internet Information Services (IIS) Manager console, expand the computer name in the left pane of the console. Right click the Default SMTP Virtual Server and click Properties . 3. In the Default SMTP Virtual Server Properties dialog box, click the Access tab.
14. Right click the Default SMTP Virtual Server node and click Stop . Right click the Default SMTP Virtual Server node and click Start . ISA Serv er 2004 Configuration Guide 190.
Install the SMTP Message Scr eener The SMTP Message Screener is an optional ISA Server 2004 component. This feature integrates with the IIS 6.0 SMTP serv ice to examine and block SMTP mail based on parameters you configure in the Message Screener.
7. Click Install on the Ready to Modify the Program page. 8. Put a checkmark in the Invoke ISA Server Management when the w izard closes check box and click Finish on the Installation Wizard Completed page.
Create the SMTP Ser v er Publishing Rules The SMTP Message Screener works together with SMTP Server Publishing Rules. Each SMTP Server Publishing Rule can be configured with a custom set of SMTP Message Screener parameters. This allows you to create different e-mail screening policies for the inbound and outbound SMTP relays.
6. On the IP Addresses page, put a checkmark in the External check box and click the Address button. 7. In the External Netw ork Listener IP Selection dialog box, select Specified IP addresses on the ISA Server computer in the selected network . Click the IP address for the external interface you want to use in the rule.
7. In the External Netw ork Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the selected network option. Click the IP address on the Internal interface you want to use in the rule. In this example, the IP address is 10.
2. Click on the General tab in the Configure SMTP Protocol Policy dialog box. Place a checkmark in the Enable support for Message Screener checkbox. 3. Click on the Keywords tab. Place a checkmark in the Enable this rule checkbox. Click Add . In the Mail Keyword Rule dialog box, enter resume in the Keyword text box.
Perform the following steps on the Inbound SMTP Relay Server Publishing Rule: 1. Right click the Inbound SMTP Relay rule and click Configure SMTP . 2. Click on the General tab in the Configure SMTP Protocol Policy dialog box. Place a checkmark in the Enable support for Message Screener check box.
Create the Outbound SMTP Access Ru le Perform the following steps to create an out bound SMTP Access Rule that enables the ISA Server 2004 firewall to relay SMTP from the In ternal Exchange Server to SMTP servers for other domains on the Internet: 1.
ISA Serv er 2004 Configuration Guide 199 10. On the User Sets page, accept the default value, All Users , and click Next . 11. Click Finish on the Completing the New Access Rule Wizard page. 12. Click Apply to save the changes and update the firewall policy.
Configure SMTP Messa ge Scr eener Log ging The SMTP Message Screener logs all messages moving the inbound and outbound SMTP relays. This logging feature helps you tr oubleshoot and access the e-mail messages moving through the server and confirm that the SMTP Message Screener is doing what you expect it to do.
5. Click OK in the Options dialog box. 6. Click Apply and then click OK in the SMTP Message Screener Properties dialog box. 7. Click Apply to save the changes and update the firewall policy.
ISA Serv er 2004 Configuration Guide 202 T est SMTP Filtering Now that the SMTP Server Publishing Rule and SMTP Message Screener configurations are in place, we’re ready to test t he effectiveness of the Message Screener. Perform the following on the external client ma chine to test the inbound SMTP relay function: 1.
Conc lusion In this ISA Server 2004 Configuration Guide document, we discussed how to make the ISA Server 2004 firewall your front line protecti on as an e-mail defense in-depth plan. The ISA Server 2004 SMTP Message Screener can provide initial inspection and protection against dangerous and inappropriate e-mail messages.
ISA Server 2004 Configuration Guide: Publishing the Exchange Outlook Web Access, SMTP Server and POP3 Server Sites Chapter 14 For the latest information, please see http://www.
ISA Serv er 2004 Configuration Guide 205 Introduction One of the main reasons to deploy a ISA Se rver 2004 firewall is to protect Microsoft Exchange Servers. ISA Server 2004 includes a num ber of technologies focused on providing enhanced support to protect Micros oft Exchange Services published to the Internet.
ISA Serv er 2004 Configuration Guide 206 R estor e the System to its P ost-installation Sta te In order to fully test the inbound and outbound SMTP relay configuration in this scenario, we will return the machine to its post-installation state so that other Access Rules do not interfere with the scenario development.
Create the OWA W eb Publishing Rule You can publish the Microsoft Exchange Outlook Web Access site using ISA Server 2004 Web Publishing after the site is configur ed to support secure SSL connections. These procedures include forcing SSL on the OWA direct ories and allowing the directories to accept only basic authentication.
6. On the Bridging Mode page, select Secure connection to clients and mail server and click Next . ISA Serv er 2004 Configuration Guide 208.
7. On the Specify the Web Mail Serv er page, enter the name for the Internal OWA Web site in the Web mail server text box. In this example, we will use the name ow a.
8. On the Public Name Details page, select This domain name (type below ) in the Accept requests for list. Enter the name external users will use to access the OWA Web site in the Public name text box. In this example, the external users will use the name ow a.
9. On the Select Web Listener page, click New . 10. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example, we will use the name OWA SSL Listener . Click Next . 11. On the IP Addresses page, put a checkmark in the External check box.
19. In the OWA SSL Listener Properties dialog box, click the Preferences tab. 20. On the Preferences tab, click the Authentication button. 21. In the Authentication dialog box, remove the checkmark from the Integrated check box.
23. Click Apply and then click OK in the OWA SSL Listener Properties dialog box. 24. Click Next on the Select Web Listener page. ISA Serv er 2004 Configuration Guide 213.
25. On the User Sets page, accept the default entry, All Users , and click Next . 26. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page. 27. Click Apply to save the changes and update the firewall policy. 28. Click OK in the Apply New Configuration dialog box.
6. Add the following line to the HOSTS file: 10.0.0.2 ow a.msfirew all.org Press ENTER at the end of the line so that t he insertion point sits on the next line. Click File and Exit . In the Notepad dialog box, click Yes to indicate that you wish to save the changes.
ISA Serv er 2004 Configuration Guide 216.
Create the SMTP Ser v er Publishing Rule You can create an SMTP Server Publishing Ru le to provide external users and servers access to the Microsoft Exchange SMTP service.
16. In the External Network Listener IP Selection dialog box, select Specified IP addresses on the ISA Server computer in the selected network . Click the IP address on the external interface you want to use in the rule. In this example, the IP address is 192.
ISA Serv er 2004 Configuration Guide 219 Create the POP3 Ser v er Publishing Rule Remote access to the Exchange Server POP3 service allows users located away from the office to download their mail from the Exc hange Server to virtually any e-mail client application.
8. Click Next on the IP Addresses page. 9. Click Finish on the Completing the New Server Publishing Rule Wizard page. ISA Serv er 2004 Configuration Guide 220.
T est the connection We are now ready to test the OWA, SMTP and POP3 connections to the Exchange Server located behind the ISA Server 2004 firewall. The first step is to create a HOSTS file entry on the client so that it correct resolves the name of the OWA site.
5. In the Outlook Web Access Log on form, enter the user name in the Domainuser name text box, and the password in the Passw ord text box. Select the Premium client type and the Private computer Security type. In the current ex ample, we will enter the user name MSFIREWALLAdministrator and the Administrator’s password.
7. On the Internet Mail Logon page, enter Administrator in the Account name text box and the administrator’s password in the Passw ord text box. Click Next . 8. Click Finish on the Congratulations! page. 9. Click Close on the Internet Accounts dialog box.
Conc lusion In this ISA Server 2004 Configuration Guide document, we discussed how to publish a Microsoft Exchange Outlook Web Access (OWA) site and how to publish the Exchange POP3 and SMTP services.
ISA Server 2004 Configuration Guide: Configuring the ISA Server 2004 Firewall as a VPN Server Chapter 15 For the latest information, please see http://www.
ISA Serv er 2004 Configuration Guide 226 Introduction The ISA Server 2004 firewall can be configured as a VPN server. The VPN server component enables it to accept incoming VPN client calls so that the VPN client computer can become a member of a protected network.
Enable the VPN Ser ver By default, the VPN server component is disabled. The first step is to enable the VPN server feature and configure the VPN server components. Perform the following steps to enable and c onfigure the ISA Server 2004 VPN Server: 1.
7. Click on the Groups tab. On the Groups tab, click the Add button. 8. In the Select Groups dialog box, click the Locations button. In the Locations dialog box, click the msfirew all.org entry and click OK . 9. In the Select Group dialog box, enter Domain Users in the Enter the object names to select text box.
10. Click the Protocols tab. On the Protocols tab, put a checkmark in the Enable L2TP/IPSec check box. ISA Serv er 2004 Configuration Guide 229.
11. Click the User Mapping tab. Put a checkmark in the Enable User Mapping check box. Put a checkmark in the When username does not contain a domain, use this domain check box.
12. Click Apply in the VPN Clients Properties dialog box. Click OK in the Microsoft Internet Security and Acceleration Serv er 2004 dialog box that informs that you must restart the ISA Server firewall befor e the settings take effec t. Click OK . 13.
Create an Access R ule Allowing VPN Clients Access to the Inter nal Networ k At this point, VPN clients c an connect to the VPN server. However, the VPN clients cannot access any resources on the Internal network. You must first create an Access Rule that allows members of the VPN clients network acce ss to the Internal network.
ISA Serv er 2004 Configuration Guide 233 6. Click Next on the Access Rule Sources page. 7. On the Access Rule Destinations page, click Add . On the Add Netw ork Entities dialog box, click the Netw orks folder and double click on Internal . Click Close .
Enable Dial-in Access for the Administrator Account In non-native mode Active Directory domains, a ll user accounts have dial-in access disabled by default.
T est the VPN Connection The ISA Server 2004 VPN server is now ready to accept VPN client connections. Perform the following steps to test the VPN Server: 1. On the Windows 2000 external c lient machine, right click the My Network Places icon on the desktop and click Properties .
12. Click Start and the Run command. In the Run dialog box, enter EXCHANGE2003BE in the Open text box, and click OK . The shares on the domain controller computer appear.
Conc lusion In this ISA Server 2004 Configuration Guide document, we discussed how to enable the ISA Server 2004 VPN server component and how to configure the VPN server. We tested the VPN server functionality by creating a VPN client connection to the server and accessing resources on the Internal network .
ISA Server 2004 Configuration Guide: Creating a Site-to-Site VPN with ISA Server 2004 Firewalls Chapter 16 For the latest information, please see http://www.
ISA Serv er 2004 Configuration Guide 239 Introduction A site-to-site VPN connection connects two or more networks using a VPN link over the Internet. The VPN site-to-site configuration wo rks just like a LAN router; packets destined for IP addresses at a remote site are routed through the ISA Server 2004 machine.
Create the R emote Site at the Main Office We will begin by configuring the ISA Server 2004 firewall at the main office. First, create the Remote Site Network in the Microsoft Internet Security and Acceleration Server 2004 management console.
5. On the Remote Site Gatew ay page, enter the IP address of the external interface of the remote ISA Server 2004 firewall machine. In this example, the IP address is 192.
7. Read the information on the Local Authentication page, and click Next . 8. On the L2TP/IPSec Authentication page, put a checkmark in the Allow pre-shared key IPSec authentication as a secondary (backup) authentication method check box. Enter a key in the Use pre-shared key for authentication text box.
9. Click Add on the Network Addresses page. In the IP Address Range Properties dialog box, enter 10.0.1.0 in the Starting address text box. Enter 10.0.
ISA Serv er 2004 Configuration Guide 244 10. Click Next on the Netw ork Addresses page. 11. Click Finish on the Completing the New Netw ork Wizard page.
ISA Serv er 2004 Configuration Guide 245 Create the Netw or k R ule at the Main Office The ISA Server 2004 firewall must know what me thod to use to route packets to the branch office network.
11. Click Finish on the Completing the New Netw ork Rule Wizard page. ISA Serv er 2004 Configuration Guide 246.
Create the Access R ules at the Main Of fice In this example, we want the clients on both the main and branch office networks to have full access to all resources on each network. We must create Access Rules t o allow traffic from the main office to the branch office and from the branch office to the main office.
11. On the User Sets page, accept the default entry All Users and click Next . 12. Click Finish on the Completing the New Access Rule Wizard page. The second rule will allow the hosts on the branc h office network access to the main office network: 1.
Finally, to enable access for VPN clients: 1. Click on the Virtual Private Network node in the left Pane of the console. 2. Click the VPN Clients tab in the Details Pane.
ISA Serv er 2004 Configuration Guide 250 Create the VPN Ga teway Dial-in Account a t the Main Of fice A user account must be created on the main office firewall that the branch office firewall can authenticate when it creates the site-to-site connection.
Set the Shared Pass word in the RRAS Console at the Main Of fice The pre-shared key you entered into the Microsoft Internet Security and Acceleration Server 2004 management console is not automatically copied to the Routing and Remote Access service.
ISA Serv er 2004 Configuration Guide 252 Create the R emote Site at the Branc h Of fice Now that the main office is ready, we c an configure the branch office ISA Server 2004 firewall. First, create the Remote Si te Network at the branch office: Perform the following steps to create the Re mote Site Network at the branch office: 1.
ISA Serv er 2004 Configuration Guide 253.
Create the Network Rule a t the Br anch Of fice Just as we did at the main office, we must create a routing relationship between the branch office and the main office networks. We will conf igure a route relationship so that we can get the highest level of protocol support.
ISA Serv er 2004 Configuration Guide 255 Create the Access R ules at the Branch Of fice We need to create two Access Rules, one that allows traffic from the branch office to the main office, and the second to allow traffic from the main office to the branch office.
The last step we need to take in the Microsoft Internet Security and Acceleration Server 2004 management console is to enable access for VPN clients: 1. Click on the Virtual Private Network node in the left Pane of the console. 2. Click the VPN Clients tab in the Details Pane.
ISA Serv er 2004 Configuration Guide 257 Create the VPN Ga teway Dial-in Account a t the Main Of fice We must create a user account that the main office VPN gateway can authenticate when it initiates the VPN site-to-site connection. The user account must have the same name as the demand-dial interface created on the branch office machine.
ISA Serv er 2004 Configuration Guide 258.
ISA Serv er 2004 Configuration Guide 259 Set the Shared Pass word in the RRAS Console at the Branch Of fice The pre-shared key configured in the Microsoft Internet Security and Acceleration Server 2004 management console is not automatically copied to the Routing and Remote Access service.
ISA Serv er 2004 Configuration Guide 260 Activa te the Site to Site Links Now that both the main and branch office ISA Server 2004 firewalls are configured as VPN routers, you can test t he site-to-site connection. Perform the following steps to test the site-to-site link: 1.
Conc lusion In this ISA Server 2004 Configuration Guide document we discussed how to use the ISA Server 2004 firewall as a VPN gateway that enables site-to-site VPN links. We configured two ISA Server 2004 firewalls, one at the main office and a second at the branch office.
An important point after buying a device Microsoft 2004 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought Microsoft 2004 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data Microsoft 2004 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, Microsoft 2004 you will learn all the available features of the product, as well as information on its operation. The information that you get Microsoft 2004 will certainly help you make a decision on the purchase.
If you already are a holder of Microsoft 2004, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime Microsoft 2004.
However, one of the most important roles played by the user manual is to help in solving problems with Microsoft 2004. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device Microsoft 2004 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center