Internet Microsoft ISA Server 2000

1
?????????? ??????????? ? Internet? ???????
Microsoft ISA Server 2000

• ?????? ????????
• BackOffice Systems EngineerMicrosoft Corp.

2
??????????

• ??? ????? Microsoft ISA Server 2000?
• ??????????? ISA Server
• ???????, ????????? ? ????????????????
• ?????????? ????????
• ???????
• ????????
• ???????
• ??????????
• ????????????

3
MS Internet Security and Acceleration Server
?????????-?????????
??????? ?????? ? Web ?? ???? ?????????????????????
?? ???????????
???????-?????
?????????? ??????????? ? Internet, ??????????????
?????????????? ????????????
????????-?????
??????????????? ?????????? ???????? ????????
??????????
??????????? ? ???????? ?????????
????????-?????
4
???????????? ISA Server Enterprise Edition
????????-????????
??????????????? ??????????? ISA Server
??????????? ????????, ?????????????
?????????????????????, NLB ? CARP.
??????????????? ????????????? ???????????
?????????? ?????????????????? ??????????? ?
??????????????????.
Active Directory
???????? ???????? ? ???????????????? ?????????? ?
???????????? ??? ?????????? ???????? ??????? ?
????????????? ? ???????.
???????????????????
????????? ????????? ???????? ?? ?????? ??????? ?
?? ?????? ???????????, ? ???????????? ??
?????????????? ??? ?????????.
5
??????????? ISA Server
6
??????? ISA Server
Internet
SecureNAT Client ?? ??????? ????????? ???????????
?? ??? ???????????????? PC.
ISA Server
Web Proxy Client ???????? ??????????????????
????????? Web-????????.
Firewall Client ????????? ?????? ? Internet
?????? ??????????????????? ????????.
7
???????????????? ???????? Web Proxy
Local Area Network (LAN) Settings
Automatic configuration
Automatic configuration may override manual
settings. To ensurethe use of manual settings,
disable automatic configuration.
Automatically detect settings Use automatic
configuration script
2
??????? ? ???? AddressIP-????? ??? ???
?????????? ? ISA Server.
1
Proxy Server
?????????? ??????? ? Use a proxy server.
3
Use a proxy server
??????? ? ???? Port ????? ????? ? ????? ???????
OK.
Port
Address
8080
192.168.1.200
Bypass proxy server for local addresses
OK
Cancel
8
???????????????? ???????? SecureNAT

• ?? ????????? ????????? ??????-???? ??????????? ??
• ?????????? ???????????????? ????
• ? ?????? ? ?????????????? ???????????????
  ????????? ? ??????? ?????????? ?????????????
  ?????? ????? ? ???????? default gateway
  ?????????? IP-????? ISA Server???? ???? ???????
• ? ?????? ??????? ?????, ??? ?????????????, ???
  ??????? ?????? ????? ? ???????? default gateway
  ??????????IP-????? ISA Server?, ??? ?????
  ??????,????????, ? ??????? DHCP
• ?????????? ???????? ?????? ? ???????
  DNS,??????????? ??? ????????

9
???????????????? ???????? Firewall
ISA Server
Group Policy
MSPClnt\Setup.exe
Webinst/default.htm
Client Computer
10
Firewall, ?? ?? ??????????

• ?????????? ???
• ????? ?????????? ???????? ??? ????? ?????????
  ???????,?? ???? ?????? ?? ????????????????????
  ??????? ???????
• ????? ?????????? ???????? ??? ????? ??????????
  ???????,?? ???? ????? ?????????? ??????
  ???????????? ? ????????????? ??????? ???????
  ????????????? ? Internet

11
???????
Internet
Firewall
Internal Network
12
??????????????? ?????? ??????? LAN-????????
Perimeter Network
Internet
Firewall
Internal Network
13
??????????????? ?????? ??????? LAN-????????
Enable IP Routing and Packet Filtering
Perimeter Network
2
3
Internet
1
ISA Server Computer
Internal Network
14
??????????????? ????,???????????? ?????
?????????????
Perimeter Network
Internet
ExternalFirewall
InternalFirewall
15
ISA Server ?????????? ? ??????? ??????
Access Policy Allow ?HTTP ?All
Destinations?
Rules Applied
Streaming Media SMTP DNS Intrusion
Streaming Media SMTP
?
Firewall
External Network
Internal Network
16
????????? ?????????? ????????

• ???????? ??????
• ??????? IP-??????? (???????????)
• ??????? ?????????? (????????????)
• ??????? ??????????? ??????? ?????????
• ????????? ??????
• ???????? ?????????? ????????
• ???????
• ??????????
• ?????? ? ???????????
• ??????????????

17
??????? IP-???????
Perimeter Network
131.107.2.200
131.107.2.1
131.107.1.1
192.168.1.1
ISA Server
Packet Filter
Internal Network
Protocol
Direction
Destination / Port
Source / Port
Type
UDP
Incoming
131.107.2.200 / 53
Any / Any
Allow
18
????????????? ? ?????????? IP

• ????????, ????????? IP-?????????????
• ??????? ? ??????????????? ???? ?? ???????
  LAN-????????
• ???????????? ?????????, ???????? ?? UDP ? TCP
• ????????, ????????? ???????? ??????????
• ??????, ??????????????? ?? ISA Server ??????????
• ??????????, ??????????????? ?? ISA Server
  ??????????
• ??????? ? ??????????????? ???? ?? ???????
  LAN-????????
• ???????????? ?????????, ???????? ?? UDP ? TCP

19
????????? ????????????? ? ?????????? IP
? ?????????? ??????????
? ???????????????????????
20
??????? ??????????

• ?????? ??????????? DNS-????
• ?????? FTP-???????
• ?????? H.323
• ?????? HTTP-???????????
• ?????? ??????????? POP-????
• ?????? RPC
• ?????? SMTP
• ?????? SOCKS V4
• ?????? ????????? ??????(Streaming Media)

ISA Server
21
???????????????? ??????? SMTP
SMTP Filter Properties
General
Keywords
Attachments
SMTP Commands
Users/Domains
SMTP Filter
Vendor Microsoft Version 3.0 RC
1 Description Filters SMTP traffic
Enable this filter
OK
Cancel
Cancel
22
???????????????? ???????HTTP-???????????
????? ??????????????????????? ???????? ????
23
????????????? ????

• ????? ?? ?????? IP-???????
• All Ports Scan Attack
• IP Half Scan Attack
• Land Attack
• Ping of Death Attack
• UDP Bomb Attack
• Windows Out-of-Band Attack
• ????? ?? ?????? ??????????
• DNS Hostname Overflow
• DNS Length Overflow
• DNS Zone Transfer from Privileged Ports (11024)
• DNS Zone Transfer from High Ports (Above 1024)
• POP Buffer Overflow

24
???????????????? ????????????? ????
IP Packet Filters Properties
General
Packet Filters
PPTP
Intrusion Detection
DNS intrusion detection filter Properties
General
Attacks
Enable detection of the selected attacks
Select Attacks
Filter incoming traffic for the following
Windows out-of-band (WinNuke) Land Ping of
death IP half scan UDP bomb Port scan
DNS host name overflow DNS length overflow DNS
zone transfer from privileged ports (1-1024) DNS
zone transfer from high ports (above 1024)
???????? ????????? ??????? ??????????? ????.
Detect after attacks on 10 well-known
ports Detect after attacks on 20 ports
To receive alerts about intrusion attacks, see
the properties for specific alerts in the Alerts
folder. Intrusion detection functionality based
on technology from Internet Security Systems,
Inc., Atlanta, GA, USA, www.iss.net
OK
Cancel
Apply
OK
Cancel
Apply
25
??????????????
Internet
SecureNAT Client ??? ?????????????? ????????????.
ISA Server
Firewall Client ????????????????????????????? ??
???????.
Web Proxy Client ?????????????? ??????? ??
???????? ? ???????????? ?????.
26
???????????????? ?????????????? ??? ????????? Web
????????
LONDON Array Properties
Incoming Web Requests
Performance
Auto Discovery
Security
General
Outgoing Web Requests
Identification
Use the same listener configuration for all
internal IP addresses. Configure listeners
individually per IP address
Server IP Address Display N Authentic Server C
LONDON ltAll internal Integrated
Add
Remove
Edit
TCP port 8080 SSL port 8443
Enable SSL listeners
Connections
Configure
Connection settings
Ask unauthenticated users for identification
OK
Cancel
Apply
27
???????????????? ?????? ??????????????
Add/Edit Listeners
28
?????????? ??????? ???????
29
???????? ????????? ????????? ????????
???????? ??????????????????
???? ????????????? ??????????????????
???? ????????????? ????????????? ?
?????-???????
???? ????????? ????????????? ?? ???????????
???????
Yes
No
No
No
Yes
Yes
No
No
No
???? ?? ??????????? ??????????????????
???? ????????????? ????????????? ?
?????-???????
???? ????????????? ??????IP-????????
Yes
Yes
Yes
???????????????????????
?????????????????
????????? ???????????????????
30
???????? ???????

• ??????????
• ?????????? ?????? ??????
• ?????? ?????????? ????????
• ?????? ??????? ????????
• ???????? ??????????
• ?????? ???????????
• ????? ?????????? ???????

31
???????? ??????????
New schedule
Name Lunch Hours and Weekends Description Use
this schedule to permit access to sites lunch
hours and weekends.
Set the activation times for rules that are based
on this schedule.
12 2 4 6 8 10 12 2
4 6 8 10 12
Al Sunday Monday Tuesday Wednesday Thursday Friday
Saturday
Active ?????????? ??????? ??????????, Inactive
???????? ??????? ??????????
Sunday from 12 AM to 12 AM
Active
Inactive
OK
Cancel
32
???????? ??????????? ?????? ??????
New Bandwidth Priority
Name Description(optional)
High Priority Assigns high priority to incoming
traffic.
New Bandwidth Priority
Name Description(optional)
Basic Priority Assigns high priority to incoming
traffic.
Outbound bandwidth (1-2000) Inbound bandwidth
(1-200) 30
Outbound bandwidth (1-2000) Inbound bandwidth
(1-200) 20
OK
Cancel
OK
Cancel
33
???????? ??????? ?????????? ??????
New Destination Set
Name Partner Web Description (optional)
Include these computers
Add/Edit Destination
Name/IP Range Path
Computer name nwtraders.msft IP addresses
Browse
From To (optional)
Remove
Edit
Add
To include a specific directory in the
destination set, type the pathbelow. To include
all the files, use this format /dir/. To select
a specific file, use this format
/dir/filename. Path /sales/accounts.xls
Cancel
OK
Cancel
OK
34
???????? ??????? ?????????? ???????
Client Set
Name Support Staff Description(optional)
Select the addresses of computers that belong to
this clientaddress set. Members
Add/Edit IP Addresses
Client set IP addresses
From To
From 192 . 168 . 101 . 0 To 192 . 168
. 101 . 255
Remove
Edit
Add
Cancel
OK
Cancel
OK
35
???????? ???????? ??????????
??????? ??????? 1 ?? 65535, ???????????? ?????
?????.
36
???????? ????? ???????????
ISA Management
Action View
Name Description Content Types
Tree
Application Applications application/hta.applicati
on/x-internet-signup.application/x-pkcs7-certific
Application Data Files Files containing data for
applications application/x-mscardfile.application/
x-perform.application/x-msclip.appl Audio Audio
files audio.,.ra,.ram,.rmi,.au,.snd,.aif,.aifc,.w
av,.m3u,.mid,.mp3 Compressed Files Compressed
Files application/x-gzip,application/x-tar,applica
tion/x-gtar,application/x-com Documents Documents
text/tab-separated-values,text/xml,text/h323,appli
cation/postscript,appl HTML Documents HTML
Documents text/webviewhtml,text/html,.htm,.html,.h
tt,.stm,.xsl Images All known types of
images .cod,.cmx,.ief,.pbm,.pnm,.ppm,.gif,.bmp,.jf
if,.jpe,.jpg,.jpeg,.ico,.pgm,.ras Macro
Documents Documents that may contain
macr application/msword,application/vnd.ms-excel,
application/x-msaccess,a Text Text
content .txt,.h,.c,.htc,.vcf,.etx,.uls,.css,.bas,.
rtx,text/plain,text/x-component,text/ Video Video
files video/,.asf,.asr,.asx,.avi,.ivf,.lsf,.lsx,.
mov,.movie,.mlv,.mp2,.mpa,.mpe,. VRML VRML x-world
/x-vrml,.flr,.wrl,.wrz,.xaf,.xof
Internet Security and Acceleration
Server Servers and Arrays LONDON Monitoring
Computer Access Policy Publishing Band
width Rules Policy Elements Schedules B
andwidth Priorities Destination
Sets Client Address Sets Protocol
Definitions
ISA Server ???????? ??? ???????????????? ?????
???????????.
37
???????????? ??????? ???????
38
??????????
Internal Network
External Adapter
Internal Adapter
131.107.3.1
Internet
192.168.9.1
Web Server
www.nwtraders.msft
39
?????????? ??????? ?? ???????????? ?????
????????????? ??????????????? ????
LATPerimeterNetwork
Web Server
Internet
ISA Server
ISA Server
Perimeter Network
SQL Server
LATInternal Network
Internal Network
40
?????????? LAT ? LDT
192.168.100.200192.168.100.300
Msplat.txt
Internet
192.168.100.225
ISA Server
192.168.100.200192.168.100.300
Clients
Msplat.txt
41
???????????????? LAT
1
Microsoft Internet Security and Acceleration
Server Setup
??????? Construct Table ??? ???????? ???????
Enter the IP address ranges that span the
internal network address space.
Internal IP ranges
Edit
From To
From
Add-gt
To
Remove-gt
To construct a local address table, click
ConstructTable.
Construct Table
OK
Cancel
Help
Microsoft Internet Security and Acceleration
Server Setup
Enter the IP address ranges that span the
internal network address space.
Internal IP ranges
Edit
From To
From
192.168.1.200 192.168.255
Add-gt
192 168 1 200
To
Remove-gt
192 168 255 255
To construct a local address table, click
ConstructTable.
Construct Table
OK
Cancel
Help
42
???????????? ?? ??????????????????????? ?
?????????????
???? ???? ???????????????????
???????????
?? ????????????????????????
?????????? ???????
????? ??????????? ???? ?????????????????????
????
?????????? ??????? ?? ????? ??????????? ? ISA
Server
???????????????????? ?????? ???????
LAN-????????
????????????? ? ???????? ?????????? ?????
Internet ? ??????????????? ????? ??????????
??????? ????? ?????????? ? ???????????????
43
?????????? Web-???????
www.nwtraders.msft/africa
www.nwtraders.msft/europe
Internet
ISA Server
europe.internal.nwtraders.msft
africa.internal.nwtraders.msft
Internal Network
44
???????????????? ???????????? ????????
Web-????????
LONDON Properties
General
Outgoing Web Requests
Identification
Use the same listener configuration for all
internal IP addresses. Configure listeners
individually per IP address
Server IP Address Display N Authentic Server C
PHOENIX ltAll internal Integrated
Edit
Remove
Add
TCP port 80 SSL port 443
Enable SSL listeners
Connections
Connection settings
Configure
Ask unauthenticated users for identification
OK
Cancel
Apply
45
??????????????? ???????? ?? ?????? ????
PartnerWeb Properties
General
Destinations
Action
Applies To
Bridging
Use this page to specify whether the request
should be discarded orredirected, and configure
the hosted site to which this rule redirects.
Discard the request.
IP-????? ???DNS-??? ???????????? ???????.
Redirect the request to this internal Web server
(name or IP address)
London
Browse
Send the original host header to the publishing
server instead of the actual one (specified
above).
Define ports this rule redirects to
Connect to this port when bridging request as
HTTP 80 Connect to this port when bridging
request as SSL 443 Connect to this port when
bridging request as FTP 21
OK
Cancel
Apply
46
??????????? ?????????? ????????????
Add/Edit Listeners
Server LONDON IP Address 131.107.3.1 Display
Name Partner Web
Use a server certificate to authenticate to web
clients
Select
Authentication
Basic with this domain Digest with this
domain Integrated Client certificate (secure
channel only)
Select domain
Select domain
Cancel
OK
47
???????????????? SSL-?????
PartnerWeb Properties
General
Destinations
Action
Applies To
Bridging
Redirect HTTP requests as
HTTP requests SSL requests (establish a secure
channel to the site) FTP requests
?????????????? SSL-??????? ??? HTTP-???????
Redirect SSL requests as
HTTP requests (terminate the secure channel at
the proxy) SSL requests (establish a secure
channel to the site) FTP requests
Require secure channel (SSL) for published site
Require 128-bit encryption
?????????????? ISA ??????? ?? ???????????
Use a certificate to authenticate to the SSL Web
server
Select
OK
Cancel
Apply
48
???????????????? ??????????? ??????
PartnerWeb Properties
General
Destinations
Action
Applies To
Bridging
Redirect HTTP requests as
HTTP requests SSL requests (establish a secure
channel to the site) FTP requests
Redirect SSL requests as
HTTP requests (terminate the secure channel at
the proxy) SSL requests (establish a secure
channel to the site) FTP requests
?????????? ????? ??? Web-????????
Require secure channel (SSL) for published site
?????? ??????? ????????????
Require 128-bit encryption
Use a certificate to authenticate to the SSL Web
server
Select
OK
Cancel
Cancel
49
???????????????? ?????????? ???????

• ??????????? ?????? ?????? ???? SecureNAT ????????
• ??????? ?????????? ???????? SMTP, FTP, SQL
• ?????? ???????? ?????????? ??????? ? ????????????
  ? ?????? ????????????
• ??? ????????????? ? ??????????? SMTP-???????
  ????? ???????????? ?????????? ???????????
  ?????????? ???????? ?????????

50
?????????? mail-???????
?????????? ?????????? ??????????? ?????????
SMTP-???????
51
????????????? ????????????
52
???????? ??????

• http//www.microsoft.com/isaserver
• http//www.isaserver.org

53
??????? ?? ????????!????????