Securing the Perimeter Exchange and VPN Access with ISA Server 2004

1
Securing the Perimeter Exchange and VPN Access
with ISA Server 2004
Jamie Sharp CISSP Security Advisor Amit
Pawar National Technology Specialist Microsoft
Australia
2
Session Overview

• Introduction to ISA Server 2004
• Securing Access to Internal Servers
• Implementing Application and Web Filtering
• Securing Access to Exchange Server
• Virtual Private Networking with ISA Server 2004

3
Introduction to ISA Server 2004

• Introduction to ISA Server 2004
• Securing Access to Internal Servers
• Implementing Application and Web Filtering
• Securing Access to Exchange Server
• Virtual Private Networking with ISA Server 2004

4
Securing the Network Perimeter What Are the
Challenges?


Business partner
Main office

• Challenges Include
• Determining proper firewall design
• Access to resources for remote users
• Effective monitoring and reporting
• Need for enhanced packet inspection
• Security standards compliance

Internet

Wireless

Branch office
Remote user
5
Securing the Network Perimeter What Are the
Design Options?
Three-legged configuration
Bastion host
Internal network
Internal network
Perimeternetwork
Web server
Back-to-back configuration
Internal network
Perimeternetwork
Internet
6
Configuring ISA Server to Secure the Network
Perimeter

• Use ISA Server to
• Provide firewall functionality
• Publish internal resources such as Web or
  Exchange servers
• Implement multilayer packet inspection and
  filtering
• Provide VPN access for remote users and sites
• Provide proxy and caching services

WebServer
LAN
WebServer
ISAServer
VPN
Server
Internet
ExchangeServer
Remote User
User
7
ISA Server 2004 Default Configuration
The ISA Server default configuration blocks all
network traffic between networks connected to ISA
Server
Only members of the local Administrators group
have administrative permissions
ü
Default networks are created
ü
Access rules include system policy rules and the
default access rule
ü
No servers are published
ü
Caching is disabled
ü
The Firewall Client Installation Share is
accessible if installed
ü
8
Configuring Access Rules

• Types of access rule elements used to create
  access rules are
• Protocols
• User sets
• Content types
• Schedules
• Network objects

9
Implementing Network Templates to Configure ISA
Server 2004
Bastion host
Three-legged configuration
Internal network
Internal network
Perimeternetwork
Web server
Deploy the 3-Leg Perimeter template
Back-to-back configuration
Deploy the EdgeFirewall template
Internal network
Deploy theFront End or Back Endtemplate
Perimeternetwork
Internet
Deploy the Single Network Adapter template for
Web proxy and caching only
10
Demonstration Applying a Network Template

• Use a network template to configure ISA Server
  2004 as an edge firewall

11
Deploying ISA Server 2004 Best Practices
To deploy ISA Server to provide Internet access

• Plan for DNS name resolution
• Create the required access rule elements and
  configure the access rules
• Plan the access rule order
• Implement the appropriate authentication
  mechanisms
• Test access rules before deployment
• Deploy the Firewall Client for maximum security
  and functionality
• Use ISA Server logging to troubleshoot Internet
  connectivity issues

12
Securing Access to Internal Servers

• Introduction to ISA Server 2004
• Securing Access to Internal Servers
• Implementing Application and Web Filtering
• Securing Access to Exchange Server
• Virtual Private Networking with ISA Server 2004

13
What Is ISA Server Publishing?
ISA Server enables three types of publishing
rules

• Web publishing rules for publishing Web sites
  using HTTP
• Secure Web publishing rules for publishing Web
  sites that require SSL for encryption
• Server publishing rules for publishing servers
  that do not use HTTP or HTTPS

14
Implementing ISA Server Web Publishing Rules

To create a Web publishing rule, configure

• Action
• Name or IP address
• Users
• Traffic source
• Public name

• Web listener
• Path mappings
• Bridging
• Link translation

15
Implementing ISA Server Secure Web Publishing
Rules

To create a secure Web publishing rule

• Choose an SSL bridging mode or SSL tunneling
• Install a digital certificate on ISA Server, on a
  Web server, or on both
• Configure a Web listener for SSL
• Configure a secure Web publishing rule

16
Demonstration Configuring a Secure Web
Publishing Rule

• Configure a secure Web publishing rule to an
  internal Web server

17
Implementing Server Publishing Rules
To create a server publishing rule,
configure

• Action
• Traffic
• Traffic source
• Traffic destination
• Networks

To enable secure server publishing, configure
ISA Server to publish a secure protocol, and then
install a server certificate on the published
server
18
Implementing Application and Web Filtering

• Introduction to ISA Server 2004
• Securing Access to Internal Servers
• Implementing Application and Web Filtering
• Securing Access to Exchange Server
• Virtual Private Networking with ISA Server 2004

19
Firewall Requirements Multiple-Layer Filtering
20
Implementing HTTP Web Filtering in ISA Server 2004
Use HTTP Web filtering to

• Filter traffic from internal clients to other
  networks
• Filter traffic from Internet clients to internal
  Web servers

HTTP Web filtering is rule-specificyou can
configure different filters for each access or
publishing rule
21
Demonstration Application Filtering in ISA
Server 2004

• Edit the default application filtering that is
  performed by ISA Server 2004

22
Securing Access to Exchange Server

• Introduction to ISA Server 2004
• Securing Access to Internal Servers
• Implementing Application and Web Filtering
• Securing Access to Exchange Server
• Virtual Private Networking with ISA Server 2004

23
Secure Client Access to Exchange Server Challenges
Outlook Mobile Access XHTML, cHTML, HTML
ActiveSync-Enabled mobile devices
Exchange front-end server
Wireless network
Outlook Web Access Outlook using RPC Outlook
using RPC over HTTP Outlook express using IMAP4
or POP3
ISAserver
Exchange back-end servers
24
Configuring RPC over HTTP Client Access
RPC over HTTP requires

• Outlook 2003 running on Windows XP

• Exchange Server 2003 running on Windows Server
  2003 and Windows Server 2003 global catalog
  servers

• Windows Server 2003 server running RPC proxy
  server

• Modifying the Outlook profile to use RPC over
  HTTP to connect to the Exchange server

To enable RPC over HTTP connections through ISA
Server, use the Secure Web Publishing Wizard to
publish the /rpc/virtual directory
25
Configuring ISA Server for Outlook Web Access
To configure ISA Server to enable OWA access
Use the Mail Server Publishing Wizard to
publishthe OWA server
1
Configure a bridging mode. For best security,
secure the connection from client to ISA Server
and from ISA Server to OWA server
2
Configure a Web listener for OWA publishing.
Choose forms-based authentication for the Web
listener
3
Forms-based authentication ensures that user
credentials are not stored on the client
computer can be used to block access to
attachments
26
Demonstration Configuring Outlook Web Access

• Configure an OWA publishing rule

27
Securing Access to Exchange Server Best Practices
Enable Outlook RPC connections for preExchange
Server 2003 and Outlook 2003 environments
ü
Use forms-based authentication on ISA Server for
OWA
ü
Implement RPC over HTTPS with SSL
ü
Explore the use of additional ISA Server features
to protect computers running Exchange Server
ü
Consider third-party add-ons for ISA Server to
protect computers running Exchange Server
ü
28
Virtual Private Networking with ISA Server 2004

• Introduction to ISA Server 2004
• Securing Access to Internal Servers
• Implementing Application and Web Filtering
• Securing Access to Exchange Server
• Virtual Private Networking with ISA Server 2004

29
Virtual Private Networking What Are the
Challenges?
VPNs provide a secure option for communicating
across a public network VPNS are used in two
primary scenarios

• Network access for remote clients
• Network access between sites

VPN quarantine control provides an additional
level of security by providing the ability to
check the configuration of the VPN client
machines before allowing them access to the
organizations network
30
Enabling Virtual Private Networking with ISA
Server
ISA Server enables VPN access

• By including remote-client VPN access for
  individual clients and site-to-site VPN access to
  connect multiple sites
• By enabling VPN-specific networks, including
• VPN Clients network
• Quarantined VPN Clients network
• Remote-site network
• By using network and access rules to limit
  network traffic between the VPN networks and the
  other networks with servers running ISA Server
• By extending RRAS functionality

31
Enabling VPN Client Connections
To enable VPN client connections

• Choose a tunneling protocol
• Choose an authentication protocol
• Use MS-CHAP v2 or EAP if possible
• Enable VPN client access in ISA Server Management
• Configure user accounts for remote access
• Configure remote-access settings
• Configure firewall access rules for the VPN
  Clients network

32
Implementing Site-to-Site VPN Connections
To enable site-to-site VPN connections

• Choose a tunneling protocol
• Configure the remote-site network
• Configure network rules and access rules to
  enable
• open communications between networks, or
• controlled communications between networks
• Configure the remote-site VPN gateway

33
How Does Network Quarantine Work?
VPN Clients Network
WebServer
DomainController
Quarantine script
Quarantine remote access policy
RQC.exe
ISAServer
DNSServer
FileServer
VPN QuarantineClients Network
34
Implementing Network Quarantine
To implement quarantine control on ISA Server
Create a client-side script that validates client
configuration
1
Use CMAK to create a CM profile for remote-access
clients
2
Create and install a listener component
3
Enable quarantine control on ISA Server
4
Configure network rules and access rules for the
Quarantined VPN Clients network
5
35
Configuring VPN Access Using ISA Server Best
Practices
Use strongest possible authentication protocols
ü
Enforce the use of strong passwords when using
PPTP
ü
Avoid the use of pre-shared keys for L2TP/IPSec
ü
Configure access rules to control access for VPN
clients and site-to-site VPN connections
ü
Use access rules to provide quarantined VPN
clients with the means to meet the security
requirements
ü
36
Session Summary
ISA Server 2004 is secure by default because it
blocks all trafficconfigure access rules to
provide the fewest possible access rights
ü
Many applications now use HTTP as a tunneling
protocoluse HTTP filtering to block the
applications
ü
Implementing Outlook RPC publishing and RPC over
HTTP publishing means that users can use Outlook
from anywhere
ü
Implement ISA Server publishing rules to make
internal resources accessible from the Internet
ü
Use access rules to limit access for VPN
remote-access clients, site-to-site VPN clients,
and network quarantine clients
ü
37
ISA Server 2004 Resources

• ISAServer.org www.isaserver.org
• FREE! TechNet Virtual Lab ISA Server
• http//www.microsoft.com/technet/traincert/virtual
  lab/isa.mspx
• 838709 How to use the ISA Server 2004 migration
  tool to migrate from ISA Server 2000 to ISA
  Server 2004
• 840697 ISA Server 2000 settings and features
  that are not supported when you migrate to ISA
  Server 2004

38
For More Information

• The official ISA Server site
• www.microsoft.com/isaserver
• A useful site with a wealth of information
• www.isaserver.org

39
What is TechNet?

• Put the right answers at your fingertips
• The comprehensive collection of resources to help
  IT prosplan, deploy and manage Microsoft
  products successfully

TechNet Subscription

• Comprehensive set of resources delivered reliably
  every month on CD or DVD The trusted resource
  for guidance, tools and software to efficiently
  evaluate, deploy and support Microsoft
  technologies.

• Accessible at www.microsoft.com/technet
• Online resources and community
• Subscriber-only Online Services

TechNet Web Site

• Biweekly e-newsletter
• Security updates, new resources, and special
  offers

TechNet Flash

• Briefings on the latest Microsoft products and
  technologies
• Hands-on, how to information

TechNet Events and Webcasts

• User Groups
• Managed Newsgroups

TechNet Communities
40
Connect with TechNet
Microsofts TechNet programs provide IT
professionals with high-quality, how-to
information and resources to efficiently
evaluate, deploy, maintain and support their
Microsoft technology. To learn more, subscribe,
or attend a free briefing, please visit

• Free Technical Briefings www.microsoft.com/semin
  ar/events
• TechNet Webcasts www.microsoft.com/webcasts
• TechNet Flash Newsletter www.microsoft.com/techn
  et/flash
• TechNet Online www.microsoft.com/technet
• Security Notification Service Sign-Upwww.microso
  ft.com/technet/security/signup/default.mspx
• TechNet Subscription www.microsoft.com/technet/s
  ubscriptions
• Microsoft TechNet Subscription Giveaway
• Complete the webcast survey to be entered to win
  a one year TechNet Plus subscription. See the
  official rules http//www.microsoft.com/seminar/ev
  ents/officialrules_1.mspx for details.

41
Questions and Answers

• Submit text questions using the Ask a Question
  button
• Dont forget to fill out the survey
• For upcoming and recordings of previous webcasts
  www.microsoft.com/webcasts
• Have webcast content ideas?Send us e-mail at
  webcasts_at_microsoft.com

42
https//msevents.microsoft.com/CUI/WelcomePage.asp
x?EventID...

• Live Meeting Web Page. Use Live Meeting Edit
  Slide Properties... to edit.