Installing and Maintaining ISA Server

1
Installing and Maintaining ISA Server
2
Planning an ISA Server Deployment

• Understand the current network infrastructure
• Review company security policies
• Plan the required network infrastructure
• Plan for branch office installations
• Plan for availability and fault tolerance
• Plan for access to the Internet
• Plan the ISA Server client implementation and
  deployment
• Plan for server publishing
• Plan for VPN deployment
• Plan the implementation

3
Network Infrastructure Requirements

• DNS
• Domain controllers
• DHCP

4
Domain Name System Requirements

• To connect to resources on the Internet, client
  computers must be able to resolve the DNS names
  for servers on the Internet to IP addresses
• To enable access to Internet resources, ensure
  that all client computers can resolve Internet
  DNS names
• You can use
• Internal DNS Server
• External DNS Server

5
Domain Controller Requirements

• restrict access to Internet resources based on
  user accounts
• require authentication before users can access
  published servers
• ISA Server provides several options for
  authenticating the users

6
Dynamic Host Configuration Protocol Requirements

• DHCP is not required to support an ISA Server
  infrastructure
• it is highly recommended to simplify network
  management.
• The advantage of using DHCP is that it can
  provide the IPconfiguration for all the client
  computers on your network automatically. This can
  make your ISA Server deployment much more
  efficient.

7
Operating System Requirements

• System and Hardware Requirements for ISA Server
  2006
• ISA Server can be installed on standard,
  Intel/AMD-based server hardware.

Component Requirement
OS Windows Server 2003 with SP1 or higher
Processor Single 733MHz Pentium III equivalent Memory 512MB of memory
Disk Space 150MB available (for installation of ISA software)
Network Cards / ISDN Adapter / Modem One OS-compatible card per connected network
8
Guidelines for Installing ISA Server, Standard
Edition

• To Configure the ISA Server Network Interfaces
• The Internal Interface
• Perimeter Network Interfaces

9
Choosing an ISA Server Client

• ISA Server Client Options
• Firewall clients
• SecureNAT clients
• Web Proxy clients

10
What Is a Firewall Client

• The Firewall client computer uses the Firewall
  Client application when initiating connections to
  the ISA Server computer

11
What Is a Firewall Client

• The advantages of using Firewall clients
• Firewall clients enable user or group based
  access control and logging
• When a Firewall client connects to ISA Server,
  the Firewall service automatically authenticates
  the user.
• the Firewall Client software can configure the
  Web Proxy browser automatically.

12
What Is a Firewall Client

• Must install the Firewall Client software on the
  client computers
• a large number of client computers in
  organization and have no means of automating the
  client installation, it will require a
  significant effort to deploy the clien
• The Firewall client can only be installed on
  Windows computers

13
What Is a SecureNAT Client

• Do not have Firewall Client software.
• The clients must be able to route requests for
  Internet resources through the ISA Server
  computer
• configure the default gateway on the SecureNAT
  clients and configure network routing, so that
  all traffic destined to the Internet is sent
  through the ISA Server computer.

14
What Is a SecureNAT Client

• When a SecureNAT client connects to the ISA
  Server computer, the request is directed first to
  the NAT driver, which substitutes the external IP
  address of the ISA Server computerfor the
  internal IP address of the SecureNAT client.
• The client request is then directed to the
  Firewall service to determine whether access is
  allowed.
• Finally, therequest may be filtered by
  application filters and other extensions.

15
What Is a SecureNAT Client

• SecureNAT clients have other advantages
• SecureNAT clients also provide almost as much
  functionality as Firewall clients
• Requests from SecureNAT clients can be passed to
  application filters, which can modify the
  requests to enable handling of complex protocols.
• SecureNAT can use the Web Proxy service for Web
  access filtering and caching
• Any operating system that supports Transmission
  Control Protocol/Internet Protocol
• (TCP/IP) can be configured as a SecureNAT client

16
What Is a SecureNAT Client

• SecureNAT clients have two primary limitations
• You cannot control access to Internet resources
  based on users and groups
• SecureNAT clients may not be able to use all
  protocols

17
Example
18
Example
Located on the Branch Office Network The client computers must be configured with Router3 as the default gateway. Router3 must be configured with Router2 as the default gateway. Router2 must be configured to route Internet requests to Router1. Router1 must be configured to route Internet requests to the ISA Server computer
Located on Main Office Network2 or Main Office Network1 The client computers must be configured to route all Internet requests to Router1. Router1 must be configured to route Internet requests to the ISA Server computer.
19
What Is a Web Proxy Client?

• A Web Proxy client is a client computer that has
  an HTTP 1.1compliant Web browser application and
  is configured to use the ISA Server computer as a
  Web Proxy server.
• do not have to install any software to configure
  Web Proxy clients.
• must configure the Web applications on the client
  computers to use the ISA Server computer as a
  proxy server

20
How to Configure ISA Server for Web Proxy Clients

• The first step in enabling Web Proxy clients is
  to configure the ISA Server computer to allow
  connections from these clients.

21
Configuring Web Proxy Clients Manually
22
How to Configure Web Proxy Clients
23
Guidelines for Choosing ISA Server Clients
If You Need To Then Use
Avoid deploying or configuring client software SecureNAT clients
Use ISA Server only for accessing Web resources using HTTP or HTTPS SecureNAT or Web Proxy clients
Allow access only for authenticated clients Firewall clients or Web Proxy clients
Publish servers that are located on your Internal network SecureNAT clients
Improve Web performance in an environment with non-Windows operating systems Web Proxy or SecureNAT clients
24
Configuring the SecureNAT and Web Proxy Clients

• Configuring SecureNAT Clients to Route Internet
  Requests

25
Installing and Configuring the Firewall Client

• How to Install Firewall Client
• Use folder client in ISA server. Run file
  setup.exe
• To enable Automatic Discovery of the ISA
• Server computer, select Automatically Detect The
  Appropriate ISA Server Computer.

26
Installing and Configuring the Firewall Client
can enable or disable the Firewall Client and
configure it to detect the ISA Server computer
automatically or configure the ISA Server
computer manually.
27
Installing and Configuring the Firewall Client

• To deploy the Firewall Client to a large number
  of clients, choose to automate the Firewall
  Client installation.
• Using Active Directory Group Policy to Distribute
  the Firewall Client

28
Securing ISA Server 2006

• defense-in-depth
• A defense-in-depth security strategy means that
  you use multiple levels of defense to secure your
  network

29
Securing ISA Server 2006

• Policies, procedures, and awareness
• Physical security Ensure that only authorized
  personnel can gain physical access to the
  resources.
• Perimeterconnecting point between the Internet
  and the internal network is as secure as
  possible, options for providing this security
  include firewalls or multiple firewalls
• Internal networks Even if the perimeter is
  secure, you must still ensure thatthe internal
  networks are secure for cases in which the
  perimeter is compromised or when the attacker is
  within the organization.
• Operating systems
• Applications
• Data

30
How to Secure the Network Interfaces

• To secure ISA Server, begin by securing the
  network interfaces connected to the server.
• Securing the External Network Interface
• Securing the Internal Network Interface
• Using Security Templates to Manage Services
• Implementing Security Templates

31
Maintaining ISA Server 2006

• How to Export and Import the ISA Server
  Configuration
• Exporting the ISA Server Configuration

32
How to Export and Import the ISA Server
Configuration

• Cloning a server export a configuration from
  one ISA Server computer and then import the
  settings on another computer
• Saving a partial configuration export and import
  any part of the ISA Server configuration a
  single rule, an entire policy, or an entire
  configuration
• Sending a configuration fo troubleshooting
• Rolling back a configuration change

33
Exporting the ISA Server Configuration

• The entire ISA Server configuration
• All the connectivity verifiers, or one selected
  connectivity verifier
• All the networks, or one selected network
• All the network sets, or one selected network
  set
• All the network rules, or one selected network
  rule
• All the Web chaining rules, or one selected Web
  chaining rule
• Cache configuration
• All the content-download jobs, or one or more
  selected content-download jobs
• The entire firewall policy, or one selected rule

34
Importing the ISA Server Configuration

• Open ISA Server Management.
• Select the object whose settings you want to
  import. You must select the correct
• type of object for the configuration file that
  you are using.
• On the Tasks tab, click the import task. The
  exact name for the task will vary,
• depending on the type of object that you
  selected.
• Select the exported .xml file and click Import.
• Click Apply to apply the changes and click OK
  when the changes have been
• applied.

35
How to Back Up and Restore the ISA Server
Configuration

• Open ISA Server Management and click the server
  name. The option to back up
• and restore the ISA Server configuration is
  available only when you select the
• server name.
• On the Tasks tab, click Backup This ISA Server
  Configuration.
• Enter a file name for the backup file and click
  Backup.
• You must provide a password for the ISA Server
  backup
• To restore the backup, click the server name in
  ISA Server Management. Then
• click Restore this ISA Server Configuration and
  select the appropriate ISA Server
• backup file.
• Click Apply to apply the changes and click OK
  when the changes have been
• applied.

36
(No Transcript)