Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 9: Configuring ISA Server for the Enterprise.

Similar presentations


Presentation on theme: "Module 9: Configuring ISA Server for the Enterprise."— Presentation transcript:

1 Module 9: Configuring ISA Server for the Enterprise

2 Overview Introducing ISA Server Enterprise Edition Installing ISA Server in the Enterprise Using Enterprise Policies and Array Policies Managing Network Connections Scaling ISA Server Extending and Automating ISA Server Functionality

3 Microsoft® Internet Security and Acceleration (ISA) Server 2000 provides many features to support an enterprise-wide deployment. Some of these features are available in only the Enterprise Edition of ISA Server. The security, caching, management, performance, and extensibility capabilities of ISA Server are the same in both the Standard Edition and the Enterprise Edition. The Standard Edition, however, is limited to a stand- alone server, a local policy only, and computers with up to four processors. For large-scale deployments, server array support, multi-level policy, and computers with more than four processors, you must use the ISA Server Enterprise Edition.

4 After completing this module, you will be able to: Describe the use of ISA Server in an enterprise environment. Install ISA Server in an enterprise environment. Use enterprise and array policies. Scale ISA Server. Manage network connections. Extend and automate ISA Server functionality.

5  Introducing ISA Server Enterprise Edition Benefits of ISA Server Enterprise Edition Using ISA Server Enterprise Edition

6 There are many benefits for an organization to deploy ISA Server Enterprise Edition in an enterprise environment. When you deploy ISA Server Enterprise Edition, you must select an installation configuration and a policy configuration.

7 Benefits of ISA Server Enterprise Edition Scalability Scales ISA Server functionality by using arrays, symmetric multiprocessing, Network Load Balancing, and CARP. Distributed and Hierarchical Caching Enhances caching performance and fault tolerance. Active Directory Tiered Policy Contains configuration and policy information and used to apply access controls to users and groups. Enables you to create policies at both the array and enterprise level.

8 ISA Server Enterprise Edition offers several benefits to organizations that want fast, secure, and manageable Internet connectivity in an enterprise environment.

9 ISA Server Enterprise Edition provides scalability by using arrays, enhanced symmetric multiprocessing support, the Network Load Balancing feature of Microsoft Windows® 2000 Advanced Server, and the Cache Array Routing Protocol (CARP) protocol. Scalability

10 ISA Server Enterprise Edition uses arrays to manage a group of ISA Server computers as a single, logical entity. Array installations increase performance and bandwidth savings by distributing client requests between multiple ISA Server computers. In addition, because the load is distributed across all of the servers in the array, you can achieve good performance even with moderate hardware. Arrays also provide fault tolerance. Moreover, because the array members share the same configuration, management and administration is simplified. Scalability: Arrays

11 ISA Server uses Windows 2000 symmetrical multiprocessing (SMP) to improve performance on computers with multiple processors. ISA Server Enterprise Edition uses the SMP capabilities of Windows 2000 Advanced Server, which supports up to 8 processors, and Microsoft Windows 2000 Datacenter Server, which supports up to 32 processors. Scalability: Symmetric Multiprocessing

12 ISA Server Enterprise Edition efficiently uses Network Load Balancing, which is available in Windows 2000 Advanced Server and Windows 2000 Datacenter Server, to provide fault tolerance, high availability, efficiency, and performance through the clustering of multiple ISA Server computers. You can use Network Load Balancing to make multiple ISA Server computers respond to a single Internet Protocol (IP) address, which provides load balancing and fault tolerance for publishing internal resources to the Internet. Scalability: Network Load Balancing

13 ISA Server Enterprise Edition uses CARP to provide scaling and efficiency when deploying an array of ISA Server computers as forward and reverse caching servers. CARP eliminates the duplication of content among array members and automatically adjusts to additions or deletions of servers in the array. Scalability: CARP

14 ISA Server Enterprise Edition uses CARP to perform distributed caching among an array of ISA Server computers to enhance the caching performance and the fault tolerance if an ISA Server computer becomes unavailable. In addition, ISA Server supports hierarchical, or chained, caching. Chained caching is a hierarchical connection between individual ISA Server computers or arrays of ISA Server computers. Chained caching enables caching to take place closer to the users. Client requests are sent upstream through the chain of cache servers until the requested object is found. When the object is located on an upstream server, it is cached in both the upstream server's cache and the downstream server's cache. Both the Standard Edition and the Enterprise Edition support hierarchical caching. Distributed and Hierarchical Caching

15 ISA Server stores configuration and policy information of arrays in the Active Directory™ directory service. Active Directory provides a central point for storing and gaining access to ISA Server policies and configuration settings. In addition, both the Standard Edition and the Enterprise Edition can apply access controls by using user accounts and groups that are defined in Active Directory. Active Directory

16 ISA Server Enterprise Edition supports a tiered policy, which enables you to create access policies at both the enterprise level and the array level. You can set a centralized enterprise policy that unconditionally applies to all of the arrays in the enterprise, or you can set an enterprise policy that administrators can augment at the array level. Tiered Policy

17 Using ISA Server Enterprise Edition ISA Management ActionView Configure enterprise Internet Security and Acceleration Server Tree You can create one or more enterprise policies that can be applied to arrays. At the enterprise level, you control whether additional rules can be created at the array level. Use this taskpad to configure how the enterprise policy affects the array policy. Servers and Arrays: ArrayDescriptionTypeModeCreated Applied Enterprise Po LONDONArrayIntegrated1/4/2001 7:19… Enterprise Policy 1 PERTHArrayIntegrated1/4/2001 7:52… Enterprise Policy 1 VANCOUVERArrayIntegrated1/4/2001 7:33… Enterprise Policy 1 WelcomeServers and ArraysEnterpriseBackupMonitoringHelp Configure Enterprise Policies Configure Enterprise Policy Default Settings Set Enterprise Policy for the Selected Array Set Defaults… Back Up… Restore… View Refresh Export List… Properties Help

18 You can install ISA Server Enterprise Edition as a stand- alone server or as an array member. When you install ISA Server as an array member, you can select a policy configuration that meets the needs of your organization.

19 When you install ISA Server Enterprise Edition as a stand-alone server, the computer does not have to belong to a Windows 2000 domain. ISA Server stores the configuration information for the stand-alone server in the registry. Stand-alone servers do not use array policies or enterprise policies. When you install ISA Server as an array member, the computer must be a member of a Windows 2000 domain. ISA Server Enterprise Edition stores configuration information for arrays in Active Directory. You can apply an enterprise policy to an array, which allows you to centralize management for multiple arrays in your enterprise. Selecting an Installation Configuration

20 When you set up ISA Server in an enterprise configuration, you must select a policy configuration to apply to the arrays in the domain. You can use enterprise policies, which apply a centralized policy to arrays, or you can use array policies, which apply a policy to only the ISA Server computer in one array. Each type of policy includes the following: Selecting a Policy Configuration

21 Includes site and content rules and protocol rules. You can create one or more enterprise policies. In addition, you can configure an enterprise policy to permit an array policy to augment the enterprise policy. This configuration enables administrators at branch offices and specific departments in an organization to use enterprise policies and be able to configure rules at the array level that further restrict an access policy. Enterprise Policy.

22 Includes site and content rules, protocol rules, IP packet filters, Web publishing rules, routing rules, and server publishing rules. You select an array policy to apply a unique array policy to each array in the enterprise. For example, you can allow unlimited access to the Internet for the clients that use one array and then place restrictions on the clients that use another array. Important: If you choose not to apply an enterprise policy to an array installation, the array administrator can create any rule to allow or deny access. When you apply enterprise policies, array policies can create additional restrictions over the enterprise policies. However, an array policy can never allow any type of access that an enterprise policy does not first allow. Array Policy.

23  Installing ISA Server in the Enterprise Installing ISA Server Schema in Active Directory Using Arrays Installing ISA Server in an Array Creating and Deleting Arrays in ISA Management Promoting a Stand-Alone Server Maintaining Enterprise Configurations

24 Before you can set up ISA Server Enterprise Edition as an array member, the ISA Server schema must be installed in Active Directory. ISA Server includes an Enterprise Initialization utility that you can use to install the ISA Server schema in Active Directory. You can also promote stand-alone servers to array members. When you modify an array, it is recommended that you back up the configuration information.

25 Installing ISA Server Schema in Active Directory Select an option to configure enterprise policy. OKCancel Specify how to apply the enterprise policy at the array level. After installation, you can modify these settings for any array in the enterprise. When applying enterprise policy: Use array policy only Use this enterprise policy: ISA Enterprise Initialization Enterprise Policy 1 Also allow array-level access policy rules that restrict enterprise policy Allow publishing rules Force packet filtering on the array

26 Before you can set up ISA Server as an array member, you must install the ISA Server schema in Active Directory. Installing the ISA Server schema adds new object classes and attributes to Active Directory. Caution: Applying a schema change to Active Directory is a major operation that normally requires planning. Because Active Directory does not support deletion of schema objects, the enterprise initialization process is irreversible. For more information about schema changes to Active Directory, see Module 4, "Designing a Schema Policy," in Course 1561B, Designing a Microsoft Windows 2000 Directory Services Infrastructure.

27 ISA Server includes an Enterprise Initialization utility that you can use to install the ISA Server schema in Active Directory. After you install the ISA Server schema, all subsequent ISA Server installations to computers in the Active Directory forest can use the ISA Server schema. You do not have to install the schema again. Important: To install the ISA Server schema in Active Directory, you must be an administrator on the local computer. In addition, you must be a member of the Enterprise Admins group and the Schema Admins group. In addition, the domain controller that holds the schema master role for your Active Directory forest must be available. For more information about operation master roles, see Module 12, "Managing Operations Masters," in Course 2154A, Implementing and Administering Microsoft Windows 2000 Directory Services. Using the Enterprise Initialization Utility

28 To initialize the enterprise by installing the ISA Server schema: 1. At a command prompt, type path\isa\i386\msisaent.exe (where path is the location of the ISA Server installation files). The location can be the root folder of the ISA Server CD- ROM or a shared folder on your network that contains the ISA Server files. 2. In the ISA Enterprise Initialization Tool dialog box, click Yes to acknowledge that the schema installation is not reversible. Initializing the Enterprise

29 3. In the ISA Enterprise Initialization dialog box, select one of the following policy options: Use array policy only. Allows the array administrator to create rules for allowing or denying access at the array level. ISA Server does not apply enterprise policy to the array. Use this enterprise policy. Creates an enterprise policy with the name that you type. You can modify the policy and add additional enterprise policies after you have installed ISA Server. Initializing the Enterprise (continued)

30 4. 4. If you select to use an enterprise policy, in the ISA Enterprise Initialization dialog box, select one or more of the following options, and then click OK twice. Note: Because of Active Directory replication latency, there may be a delay until the schema changes are applied to all domain controllers in your organization. Initializing the Enterprise (continued)

31 To Do this Allow array administrators to create array policies that further restrict an enterprise policy Select the Allow array-level access rules that restrict enterprise policies check box. Allow administrators to create publishing rules Select the Allow publishing rules check box. Enforce packet filtering on all arrays Ensure that the Force packet filtering on the array check box is selected.

32 Using Arrays Guidelines for Setting Up Arrays Configuration Settings for Arrays Permissions Required for Adding Arrays

33 Before you set up an array, consider the following guidelines, configuration settings, and permissions required for adding arrays.

34 The guidelines for setting up arrays are as follows: All of the array members must be in the same Windows 2000 domain and on the same site. All of the array members should use the same installation mode: Cache mode, Firewall mode, or Integrated mode. All of the array members should have the same set of extensions installed. Guidelines for Setting Up Arrays

35 Array members have the following configuration settings: Policy configuration. Policy configuration for arrays includes all access policy rules, publishing rules, and bandwidth rules. Similarly, the cache policies are centrally configured at the array level, and the cache policy and scheduled content download jobs apply to all computers in an array. Alert configuration. Alerts can be configured for each server in the array or for all of the servers in the array. Reports. Reports display information about the activity on all of the ISA Server computers in the array. The report data is stored in a database on a computer and in a directory that you specify. By default, the report data is stored on the ISA Server computer on which you configure the report jobs. Configuration Settings for Arrays

36 Cache. Disk space for caching is allocated separately on each ISA Server computer according to the amount that you specify when you install or reconfigure the cache. However, all of the cache configuration properties are common for all of the servers in an array. These properties include the Hypertext Transfer Protocol (HTTP) protocol caching properties, the File Transfer Protocol (FTP) protocol caching properties, and the CARP protocol properties. Configuration Settings for Arrays (continued)

37 By default, the members of the Domain Admins group for the domain and the members of the Enterprise Admins group for the Active Directory forest can create new arrays. Only the members of the Enterprise Admins group are prompted to configure how the enterprise policies apply to the array because only the members of this group have the required permissions to administer enterprise policies. When a user who is not a member of the Enterprise Admins group creates an array, the default enterprise policy automatically applies to the array. Permissions Required for Adding Arrays

38 Installing ISA Server in an Array Run Setup Install ISA Server as an Array Create and Name Array Select an Enterprise Policy Setting Select Custom Policy Settings FinishFinish StartStart

39 When you install the first ISA Server computer after importing the ISA Server schema into Active Directory, the setup program provides you with additional choices that are not available before you modify the schema. After you set up the first ISA Server computer in an array, when you install additional array members, these array members automatically retrieve most of the configuration information from Active Directory.

40 To install ISA Server on the first computer in an array: 1. Start the Microsoft Internet Security and Acceleration Server Enterprise Edition Setup program, and choose whether to perform a typical, custom, or full installation. 2. In the Microsoft ISA Server Setup dialog box, click Yes to install ISA Server as an array member. 3. If the domain already contains arrays, in the Microsoft ISA Server Setup dialog box, click New. 4. In the New Array dialog box, type a name for the array that you are creating, and then click OK. Installing the First ISA Server Computer

41 5. In the Configure enterprise policy setting dialog box, select one of the following options: Use default enterprise policy settings. The array will use the default enterprise policy settings. These settings are normally the policy settings that you configured when you imported the ISA Server schema. Use custom enterprise policy settings. The array will not use the default enterprise policy settings. 6. If you chose to use a custom enterprise policy, select the appropriate policy option and settings, and then click Continue. 7. In the Microsoft ISA Server Setup dialog box, select the installation mode, and then configure the cache settings and the Local Address Table (LAT) as you would for a stand-alone server. Installing the First ISA Server Computer (continued)

42 When you install additional members of an array, the new members retrieve the existing array configuration from Active Directory. To install additional array members: 1. Start the Microsoft Internet Security and Acceleration Server Enterprise Edition Setup program, and choose whether to perform a typical, custom, or full installation. Installing Additional Array Members

43 2. In the Internet Security and Acceleration Server Setup dialog box, click Yes to install ISA Server on an array member. 3. In the Microsoft ISA Server Setup dialog box, click the array that you want to add the computer to, click OK, and then configure the cache settings as you would for a stand-alone server. Installing Additional Array Members (continued)

44 Creating and Deleting Arrays in ISA Management Creating New Arrays Deleting Arrays

45 You can create a new array before installing ISA Server on the first computer in the array, which allows you to configure the array before you install ISA Server on the first computer in the array. When you create a new array, you can create a new configuration or you can copy a configuration from another array. After you have created an array, computers can join the array when you install ISA Server or when you promote a stand-alone server to an array member. Important: You must be a member of the Domain Admins group or the Enterprise Admins group to create an array. You must be a member of the Enterprise Admins group to configure how the enterprise policies apply.

46 To create a new array: 1. In ISA Management, in the console tree, right-click Servers and Arrays, point to New, and then click Array. 2. In the New Array Wizard, type a name for the array, and then click Next. 3. On the Domain Name page, select the site and domain in which to create the new array, and then click Next. Creating New Arrays

47 Creating New Arrays (continued) 4. On the Create or Copy an Array page, select one of the following options: If you are Then Creating a new configurationClick Create a new array, and then click Next. Copying a configurationClick Copy this array, select the array to copy from the list, click Next, and then click Finish. Note: You perform the following steps only when you are creating an array with a new configuration.

48 5. On the Enterprise policy settings page, select one of the following options, and then click Next: Do not use enterprise policy. Use default enterprise policy settings. Use custom enterprise policy settings. Use this option to specify an enterprise policy. You can also select the Allow array policy check box. Creating New Arrays (continued)

49 6. On the Array type page, select one of the following options, and then click Next: Cache only Firewall only Integrated Creating New Arrays (continued)

50 7. On the Array Global Policy Options page, select one or both of the following options, and then click Next: Allow publishing rules to be created on the array Force packet filtering on the array 8. On the Completing the New Array Wizard page, review your choices, and then click Finish. Creating New Arrays (continued)

51 You can delete an array in ISA Management after you uninstall ISA Server from all array members. To delete an array: In ISA Management, in the console tree, right-click the appropriate array, and then click Delete. Caution: If you accidentally delete an array that has members, you must re-create the array, uninstall ISA Server on each of the members, re-create each array member, and then reinstall ISA Server on all array members. Deleting Arrays

52 Promoting a Stand-Alone Server Migrating Policy Settings Promoting a Stand-Alone Server

53 After you initialize the enterprise, you can promote stand-alone servers to array members. After promoting a stand-alone server to an array, by default, the name of the array is the same as the name of the server. You can rename the array in ISA Management. Note: You can promote stand-alone servers that belong to a Windows 2000 domain only. You cannot reverse the promotion without uninstalling ISA Server.

54 When you promote a stand-alone server to an array, the new array adopts the default enterprise policy settings or another enterprise policy that you select. Because array policies cannot be more permissive than enterprise policies, depending on the default enterprise policy settings, ISA Server may delete some of the existing array policy rules as follows. Migrating Policy Settings

55 If default enterprises settings Then ISA Server Are enterprise policy onlyDeletes all of the array policy rules. Are enterprise policy and array policy Deletes all of the array policy rules that allow access. Disallow publishing for the array. Deletes the publishing rules that are defined

56 To promote a stand-alone server: 1. In ISA Management, in the console tree, right-click the server, and then click Promote. 2. Click Yes to verify that you want the ISA Server to become an array member. 3. If you are not a member of the Enterprise Admins group, click Yes to confirm that the default enterprise policy will be applied to the array. -or- If you are a member of the Enterprise Admins group, in the Set Global Policy dialog box, select the appropriate policy options and settings, and then click OK. Promoting a Stand-Alone Server

57 Maintaining Enterprise Configurations ISA Management ActionView Configure enterprise Internet Security and Acceleration Server Tree You can create one or more enterprise policies that can be applied to arrays. At the enterprise level, you control whether additional rules can be created at the array level. Use this taskpad to configure how the enterprise policy affects the array policy. Servers and Arrays: ArrayDescriptionTypeModeCreated Applied Enterprise Po LONDONArrayIntegrated1/4/2001 7:19… Enterprise Policy 1 PERTHArrayIntegrated1/4/2001 7:52… Enterprise Policy 1 VANCOUVERArrayIntegrated1/4/2001 7:33… Enterprise Policy 1 WelcomeServers and ArraysEnterpriseBackupMonitoringHelp Configure Enterprise Policies Configure Enterprise Policy Default Settings Set Enterprise Policy for the Selected Array Set Defaults… Back Up… Restore… View Refresh Export List… Properties Help Backup Enterprise Configuration Store backup configuration in this location: OKCancel Browse… Comment: Restore Enterprise Configuration Restore configuration from the following backup (.BEF) file: Cancel Browse… OKOK

58 You can back up the enterprise configuration information and then store it locally in a file. The backup process saves all of the enterprise-specific information, including the enterprise policies and the enterprise policy elements. The backup process also saves information about the enterprise policies that the arrays are using.

59 Important: Because restoring an enterprise configuration may affect arrays that use enterprise policies, it is recommended that you back up an array configuration after you back up the enterprise configuration. When you restore the enterprise configuration, you can also restore all of the array configurations. For information about backing up and restoring arrays, see Module 2, "Installing and Maintaining ISA Server," in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

60 To back up an enterprise configuration: 1. In ISA Management, in the console tree, right-click Enterprise, and then click Back Up. 2. In the Store backup configuration in this location box, type the name of the folder in which to store the backup data, and then click OK. Backing Up an Enterprise Configuration

61 To restore an enterprise configuration: 1. In ISA Management, in the console tree, right-click Enterprise, click Restore, and then click Yes to overwrite the existing enterprise configuration with the backup configuration. 2. In the Restore configuration from the following backup (.bef) file box, type the path of the backup folder and the name of the backup file. Restoring an Enterprise Configuration

62  Using Enterprise Policies and Array Policies Configuring an Enterprise Policy Configuring an Array Policy Combining Enterprise Policies and Array Policies

63 You use enterprise and array policies to specify rules for controlling how an internal network communicates with the Internet. You use enterprise policies to apply a centralized set of rules to all of the arrays in the enterprise. You use array policies to apply a unique set of rules to each array in the enterprise. You can also combine enterprise policies and array policies.

64 Configuring an Enterprise Policy Using Enterprise Policy Elements Setting a Default Enterprise Policy Changing Default Settings for the Enterprise Policy Applying an Enterprise Policy to Selected Arrays

65 An enterprise policy consists of site and content rules, protocol rules, and policy elements. When you set a default enterprise policy, ISA Server applies the rules of the default enterprise policy to all of the new arrays that you create, unless you specify a different policy. If required, you can configure the default enterprise policy to apply to only selected arrays. Note: For more information about site and content rules, protocol rules, and policy elements, see Module 3, "Enabling Secure Internet Access" in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

66 By default, only members of the Enterprise Admins group can create, configure, and apply enterprise policies and can create and configure enterprise-wide policy elements.

67 When you create policy elements for an enterprise, these policy elements are available to all of the arrays in the enterprise. You can use these policy elements in enterprise policies and in array policies. Using Enterprise Policy Elements

68 To set a default enterprise policy: In ISA Management, in the console tree, expand Enterprise, expand Policies, right-click the specified enterprise policy, and then click Set as Default Policy. Setting a Default Enterprise Policy

69 After initializing ISA Server for the enterprise, you can change the default policies that ISA Server applies when you create a new array. To change the default policies: 1. In ISA Management, in the console tree, right-click Enterprise, and then click Set Defaults. 2. In the Set Default Policy dialog box, select the applicable policy and settings, and then click OK. Changing Default Settings for the Enterprise Policy

70 To apply an enterprise policy to selected arrays: 1. In ISA Management, in the console tree, expand Enterprise, expand Policies, right-click the default enterprise policy, and then click Properties. 2. In the Enterprise Policy Properties dialog box, click the Arrays tab, select the names of the arrays to which you want to apply the enterprise policy, and then click OK. Caution: When you apply an enterprise policy to an array, ISA Server deletes all of the previously defined array-level site and content rules and protocol rules that allow access. Applying an Enterprise Policy to Selected Arrays

71 Configuring an Array Policy Configuring the Cache for an Array Forcing Packet Filtering for an Array Allowing Publishing Rules in an Array Configuring Server-Specific Settings in ISA Server

72 Configuring an array policy is similar to configuring a policy for a stand-alone server. However, there are some important differences that you must keep in mind when configuring and using an array policy. An array policy includes site and content rules, protocol rules, IP packet filters, and the associated policy elements. When you configure an array policy, ISA Server applies the rules of the array policy to all of the ISA Server computers in the array. You can also set an enterprise policy to require packet filtering at the array level. Note: For more information about site and content rules, protocol rules, and policy elements, see Module 3, "Enabling Secure Internet Access," in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.

73 All of the cache configuration properties are the same for all of the servers in an array. These properties include the HTTP caching properties, the FTP caching properties, and most of the CARP properties. However, ISA Server separately allocates disk space for the cache on each server according to the amount that you specify when you install or reconfigure the cache on each server. Configuring the Cache for an Array

74 You cannot enable packet filtering at the enterprise level. However, an enterprise administrator can specify that packet filtering can be forced at the array level. If you are a member of the Enterprise Admins group, ISA Server prompts you about whether you want to force the array to use packet filtering when you create a new array. You can also change this setting after you create an array. Enforce packet filtering to prevent an array administrator from configuring ISA Server in an insecure manner. Forcing Packet Filtering for an Array

75 To force packet filtering for an array: 1. In ISA Management, in the console tree, expand Servers and Arrays, right-click the applicable array, and then click Properties. 2. On the Policies tab, verify that Use custom enterprise policy settings is selected, select the Force packet filtering on the array check box, and then click OK. Forcing Packet Filtering for an Array (continued)

76 You cannot create publishing rules at the enterprise level. However, an enterprise administrator can specify whether an array is allowed to publish servers by creating Web publishing rules or server publishing rules. If you are a member of the Enterprise Admins group, ISA Server prompts you about whether you want to allow publishing rules in the array when you create a new array. You can also change this setting after you have created an array. Allowing Publishing Rules in an Array

77 To allow publishing rules for an array: 1. In ISA Management, in the console tree, expand Servers and Arrays, right-click the applicable array, and then click Properties. 2. On the Policies tab, verify that Use custom enterprise policy settings is selected, select the Allow publishing rules check box, and then click OK. Allowing Publishing Rules in an Array (continued)

78 Most of the settings in ISA Server apply to the entire array. However, some settings are specific to each array member. These settings include: Listeners for outgoing and incoming Web requests. You can set up listeners to be active on only a single network interface. You can also configure a separate listener for each network interface on each ISA Server computer. Packet filters. You can configure a packet filter to apply to only a single array member. Configuring Server-Specific Settings in ISA Server

79 Server publishing rules. You can configure different server publishing rules for each array member. Alerts. You can configure an alert that applies to only a single array member. Caching. You can configure disk space used for caching, the load factor, and intra-array IP address. Configuring Server-Specific Settings in ISA Server (continued)

80 Combining Enterprise Policies and Array Policies LONDON Properties General OKCancel Use array policy only Apply Specify whether enterprise policies should be enabled for this array. Then, select the enterprise policy you want to apply. Allow publishing rules Force packet filtering on the array Outgoing Web RequestsIncoming Web Requests PoliciesAuto DiscoveryPerformanceSecurity Use default enterprise policy settings Use custom enterprise policy settings Use this enterprise policy: Enterprise Policy 1 Allow array-level access rules that restrict enterprise policy Select this option to allow array-level settings.

81 You can configure enterprise policy settings so that an administrator can configure rules for an array policy to refine the enterprise policy. For example, you can create an access policy for an array to deny access to additional users, sites, content, or protocols.

82 When you apply an enterprise policy to an array, you can no longer create site and content rules and protocol rules for the array that allows access. You can create site and content rules and protocol rules for only the array that denies access. Because ISA Server combines enterprise polices and array policies, you should define all of the rules that allow access in an enterprise policy and then create an array policy to further restrict the access granted by the enterprise policy. Note: Only enterprise administrators can specify whether enterprise policies will allow array-level rules.

83 To configure an enterprise policy to allow array-level settings: 1. In ISA Management, in the console tree, right-click the applicable array, and then click Properties. 2. On the Policies tab, select the Use custom enterprise policy settings check box, select the Allow array-level access rules that restrict enterprise policy check box, and then click OK.

84  Managing Network Connections Routing Overview Configuring Routing for Web Proxy Client Requests Configuring Routing for Firewall Client and SecureNAT Client Requests Automatic Discovery Overview Configuring Automatic Discovery Configuring Clients for Automatic Discovery Customizing Client Discovery Information

85 You can manage network connections by configuring routing rules to direct Web requests. You can also use the automatic discovery feature to make the configuration of clients easier. By enabling automatic discovery, Web Proxy clients and Firewall clients will automatically discover the appropriate ISA Server computer. Important: You can use ISA Server Standard Edition or ISA Server Enterprise Edition to manage network connections for ISA Server. However, customizing network connections yields the most benefits in an enterprise-wide installation.

86 Routing Overview Corporate Office Overseas Branch Office ISA Server Overseas ISP Array 1 Array 2 Array 3 Local Requests

87 Routing is the process of sending Web requests from an ISA Server computer to a specified destination. You can create routing rules to determine whether a Web Proxy client request is: Retrieved directly from the specified destination. Sent to an upstream server. Redirected to an alternate site.

88 You can also create routing rules to conditionally route requests, depending on the destination. For example, an organization with an overseas branch office could set up an ISA Server computer at the branch office that is connected to both the corporate office and an Internet service provider (ISP) that is local to the branch office. A routing rule on the ISA Server computer at the branch office could direct requests for local destinations to the ISP and direct all other requests to the ISA Server array at the corporate office. The ISA Server computer at the overseas branch office benefits from the ISA Server cache at the corporate office, and it is able to cache local objects retrieved from the ISP.

89 Configuring Routing for Web Proxy Client Requests Name the Rule Select a Destination Set Specify a Request Action Configure Primary Routing Configure Backup Routing Configure Cache Retrieval StartStart FinishFinish Configure Cache Storage

90 You can configure ISA Server to route requests from Web Proxy clients to a specific upstream ISA Server computer, a Microsoft Proxy Server 2.0 computer, or a third-party proxy server. You can specify a backup route if the primary route is unavailable. You can also configure when objects should be retrieved from the cache. You use routing rules to configure routes and cache retrieval options for Web Proxy client requests. You can also use routing rules to redirect requests to another site. For example, you can redirect internal requests for your public Web site to an internal replica of the Web site so that employees can access the site more efficiently and securely.

91 To configure a routing rule: 1. In ISA Management, in the console tree, expand Servers and Arrays, expand the server or array, and then click Network Configuration. 2. In the details pane, click Create a Routing Rule. 3. In the New Routing Rule Wizard, in the Routing rule name box, type a name for the rule, and then click Next. 4. On the Destination Sets page, specify the destinations, and then click Next. 5. On the Request Action page, specify an action, and then click Next.

92 If you selectThen Retrieve them directly from the specified destination No further action is required. Route to a specified upstream server Specify primary routing and backup routing. Redirect toIn the Hosted site box, type the name of a server to redirect the request to. In the Port box, type the port that the hosted site uses for HTTP packets, and then in the SSL Port box, type the port that the hosted site uses for Secure Sockets Layer (SSL) requests.

93 6. If routing to an upstream server, on the Primary Routing page, specify the following information, and then click Next: In the Server or array box, type the name or IP address of the ISA Server computer or array to which the request will be routed. In the Port box, type the port number on which the upstream server listens for HTTP requests. This port number is typically 8080. In the SSL Port box, type the port number on which the upstream server listens for SSL requests. This port number is typically 8443. If the upstream server is accessible only when another server that connects to it supplies credentials, select the Use this account check box. In the Set Account dialog box, type the user name in the form, type the password, and then click OK. In the Authentication list, select an authentication type.

94 7. If routing to an upstream server, on the Backup Routing page, select one of the following actions for cases in which the primary route is unavailable, and then click Next: Ignore requests. Ignores the request and displays an error message in the Web Proxy client. Retrieve the requests directly from specified destination. Bypasses ISA Server and attempts to retrieve the request directly. Route requests to an upstream server. Note: If you route request to an upstream server, you must also configure the properties of an upstream ISA Server computer or array on the Backup Routing page.

95 8. On the Cache Retrieval Configuration page, select an option for retrieving the object and routing the request, and then click Next. 9. On the Cache Content Configuration page, select an option for storing objects, and then click Next. 10. On the Completing the New Routing Rule Wizard page, review your choices, and then click Finish.

96 ISA Server applies routing rules in the order in which they are listed when you click Routing under Network Configuration in the console tree. To change the order in which rules are applied, right- click a rule, and then click Move Up or Move Down. The built-in Default rule retrieves requests directly from the specified destination. You can edit but you cannot delete the default routing rule. Applying Web Routing Rules

97 Configuring Routing for Firewall Client and SecureNAT Client Requests Network Configuration Properties Firewall Chaining OKCancel Use this page to specify how requests from Firewall and SecureNat clients are forwarded to upstream servers. To route requests to upstream servers: Use primary connection Apply Chain to this computer: Use dial-up entry LONDONBrowse… Use this account: NWTRADERS\Admin Use dial-up entry Set Account… Select Server or Array Select one from the following servers: OK Cancel DomainNameType nwtraders.msftLONDONServer Set Account Use this following account: User: Password: Confirm password: LONDON\Administrator Browse… OK Cancel

98 You can route requests from Firewall and SecureNAT clients by using firewall chaining. Firewall chaining refers to a hierarchical connection between individual ISA Server computers or arrays of ISA Server computers. Firewall chaining enables requests from Firewall clients and SecureNAT clients to be routed to upstream servers. For example, in an enterprise, you might configure ISA Server to forward all SecureNAT and Firewall client requests to an ISA Server computer at a central office, which then forwards the requests to the Internet.

99 To configure firewall chaining: 1. In ISA Management, in the console tree, expand Servers and Arrays, expand your array, right-click Network Configuration, and then click Properties. 2. On the Firewall Chaining tab, click Chain to this computer, and then type the name of the computer in the box. 3. If the server that you are chaining to is accessible only by using user account credentials, click the Use this account check box, and then click Set Account. In the Set Account dialog box, type the user name, type the password twice, and then click OK twice.

100 Automatic Discovery Overview Client contacts DNS or DHCP server for ISA Server information. 1 WPAD entry on DHCP or DNS Server points to the ISA Server. 2 Client retrieves configuration information from ISA Server. 3 DNS or DHCP Server DNS or DHCP Server Client forwards Internet requests to ISA Server based on configuration information. 4 Alias NameFQDN WPADisa.domain.msft ISA Server isa.domain.msft ISA Server isa.domain.msft Client

101 For a Web Proxy client or a Firewall client to connect to an ISA Server computer, you must configure the browser or Firewall client to forward Internet requests to a specific ISA Server computer. If the ISA Server computer becomes unavailable or you want to use a different ISA Server computer, you must change this configuration. When you enable automatic discovery, Firewall clients and Web Proxy clients can automatically find an ISA Server computer on the network. Using automatic discovery can help you to minimize the time spent troubleshooting connection problems on client computers.

102 Web Proxy clients enable automatic discovery by using Web Proxy AutoDiscovery Protocol (WPAD) information. Firewall clients use the Winsock Proxy AutoDetect Protocol (WSPAD). Both clients connect to an ISA Server computer and request configuration information after locating the ISA Server computer by using a WPAD entry on the Dynamic Host Configuration Protocol (DHCP) server or the Domain Name System (DNS) server.

103 Automatic discovery is especially useful when you move your computer from one network to another. For example, if you use a laptop computer at home and at work, both the Firewall client and Microsoft Internet Explorer use ISA Server when you are connected to the corporate network, but you can gain access to the Internet directly when you are working at home.

104 The automatic discovery process works as follows: 1. A client connects to a DNS or DHCP server for the ISA Server location information. 2. The client uses a WPAD entry to locate an ISA Server computer. 3. The client connects to the ISA Server computer specified in the WPAD entry to retrieve configuration information by using the WPAD protocol or the WSPAD protocol. 4. The client configures itself by using the configuration information that it retrieved.

105 Configuring Automatic Discovery Configuring ISA Server for Automatic Discovery Configuring a DNS Server for Automatic Discovery Configuring a DHCP Server for Automatic Discovery

106 The automatic discovery feature of ISA Server enables clients to automatically detect the appropriate ISA Server computer. To allow automatic discovery, you must first configure ISA Server to publish WPAD information. You can configure automatic discovery for clients running Windows 2000, Microsoft Windows 98, and Microsoft Windows Millennium Edition that use DHCP or DNS.

107 To configure ISA Server to publish WPAD information, perform the following procedure on each ISA Server computer or array that you want to configure for automatic discovery: 1. In ISA Management, in the console tree, expand Servers and Arrays, right-click the appropriate server or array, and then click Properties. 2. In the Properties dialog box for the server or array, on the Auto Discovery tab, select the Publish automatic discovery information check box, and then click OK. Note: In most cases, you use port 80 for publishing automatic discovery information. Changing this port prevents clients from using DNS for automatic discovery. Configuring ISA Server for Automatic Discovery

108 To configure a DNS server for automatic discovery of ISA Server, perform the following procedure for each DNS zone that clients use: 1. Open DNS, in the console tree, right-click the forward lookup zone for the DNS domain that the client computers belong to, and then click New Alias. 2. In the New Resource Record dialog box, in the Alias name box, type WPAD 3. In the Fully qualified name for target host box, type the fully qualified domain name of the ISA Server computer that will supply the configuration information, and then click OK. Configuring a DNS Server for Automatic Discovery

109 To configure a DHCP server for automatic discovery of ISA Server: 1. Open DHCP, in the console tree, right-click the DHCP server that assigns IP addresses to client computers, and then click Set Predefined Options. 2. In the Predefined Options and Values dialog box, click Add. 3. In the Option Type dialog box, specify the following information, and then click OK: In the Name box, type WPAD In the Data type box, click String In the Code box, type 252 Configuring a DHCP Server for Automatic Discovery

110 4. In the Value area, in the String box, type http://name/wpad.dat (where name is the name of the ISA Server computer that will supply the configuration information), and then click OK. Note: If you configured ISA Server to use a non-standard port for publishing automatic discovery information, type the WPAD information in the format http://wawe//port/wpad.dat (where port is the port that you configured for publishing automatic discovery information). Configuring a DHCP Server for Automatic Discovery (continued)

111 5. In the Local Area Network (LAN) Settings dialog box, select the Automatically detect settings check box, and then click OK twice. Important: To use DHCP for automatic discovery, you must ensure that there is a DHCP server with a valid scope for each network segment that has ISA Server clients. To use DNS for automatic discovery, you must ensure that there is a WPAD entry for each DNS domain that has ISA Server clients. Configuring a DHCP Server for Automatic Discovery (continued)

112 Configuring Clients for Automatic Discovery Setting Automatic Discovery for Firewall Clients Setting Automatic Discovery for Internet Explorer

113 Before clients can use automatic discovery, you must enable the Firewall Client and Internet Explorer to automatically detect ISA Server.

114 To set automatic discovery for Firewall Clients: 1. On the client computer, open Control Panel, and then double-click Firewall Client. 2. In the Firewall Client Options dialog box, select the Automatically detect ISA Server check box, and then click OK. Setting Automatic Discovery for Firewall Clients

115 To set automatic discovery for Internet Explorer: 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. On the Connections tab, click LAN settings. 3. In the Local Area Network (LAN) Settings dialog box, select the Automatically detect settings check box, and then click OK twice. Setting Automatic Discovery for Internet Explorer

116 Customizing Client Discovery Information Customizing Settings for Web Proxy Clients Customizing Settings for Firewall Clients

117 You can customize the information that Firewall clients receive when they retrieve configuration information from ISA Server. You can also customize the client discovery information for Web Proxy clients.

118 You can customize the Web Proxy configuration settings that ISA Server applies to a computer when you install the Firewall Client on that computer. To customize settings for Web Proxy clients: 1. In ISA Management, in the console tree, expand Servers and Arrays, expand your array or server, and then click Client Configuration. 2. In the details pane, right-click Web Browser, and then click Properties. Customizing Settings for Web Proxy Clients

119 3. In the Web Browser Properties dialog box, on the General tab, configure the following settings: Configure Web browser during Firewall client setup. Use this setting to enable ISA Server to apply the Web Proxy settings that you configure on the ISA Server when you install the Firewall Client. DNS name. Type the DNS name of the ISA Server computer to which the client connects. Important: The setting in the Port box must match the port number that the ISA Server computer uses to publish configuration information or the port that you configured as a listener. Customizing Settings for Web Proxy Clients (continued)

120 Automatically discover settings. Use this setting to specify that a client automatically attempts to discover current settings when starting up. Set Web browser to use automatic configuration script. Use this setting to specify that a client uses a configuration script that it retrieves from ISA Server. Customizing Settings for Web Proxy Clients (continued)

121 4. In the Web Browser Properties dialog box, on the Direct Access tab, configure the following settings: Bypass proxy for local servers. Use this setting to specify that clients gain access to servers on the intranet without going through ISA Server. Directly access computers specified in the Local Domain Table (LDT). Use this setting to specify that clients gain access to computers with DNS names that are defined in the LDT without going through ISA Server. Directly access these servers. Click Add to specify servers that clients always gain access to directly. Customizing Settings for Web Proxy Clients (continued)

122 5. In the Web Browser Properties dialog box, on the Backup Route tab, configure the following setting, and then click OK: If ISA Server is unavailable, use this backup route to connect to the Internet. Use this setting to provide an alternate route for clients to connect to the Internet when the ISA Server computer is not available. Customizing Settings for Web Proxy Clients (continued)

123 To customize settings for Firewall Clients: 1. In ISA Management, in the console tree, expand Servers and Arrays, expand your array or server, and then click Client Configuration. 2. In the details pane, right-click Firewall Client, and then click Properties. Customizing Settings for Firewall Clients

124 3. In the Firewall Client Properties dialog box, on the General tab, configure the following settings: DNS name. Use this setting to specify the name of the ISA Server computer from which the Firewall Client will retrieve its configuration information. IP address. Use this setting to specify the IP address of the ISA Server computer from which the Firewall Client will retrieve its configuration information. Enable ISA Firewall automatic discovery in Firewall Client. Use this setting to configure Firewall clients to use automatic discovery. Customizing Settings for Firewall Clients (continued)

125 4. In the Firewall Client Properties dialog box, on the Application Settings tab, select an application, click New or Edit to configure advanced application settings for the Firewall Client configuration file, and then click OK. Special settings are required to allow the Firewall Client to correctly handle certain protocols. Note: For more information about advanced application settings for the Firewall Client configuration file, see "Firewall client application settings" in ISA Server Help. Customizing Settings for Firewall Clients (continued)

126  Scaling ISA Server Understanding CARP Configuring CARP Understanding Network Load Balancing

127 When you set up an array of ISA Server computers, you can increase performance and availability by distributing caching and using Network Load Balancing. ISA Server uses the CARP protocol to enable multiple ISA Server computers in an array to distribute the cache between them. You can enable CARP for both outgoing and incoming requests. You can also configure array members so that different servers have different cache loads.

128 For SecureNAT clients, fault tolerance can be achieved when two or more ISA Server computers are used together with Windows 2000 Advanced Server Network Load Balancing. Also, by combining the resources of two or more computers running Windows 2000 Advanced Server into a single Network Load Balancing cluster, Network Load Balancing can increase reliability and performance for servers that you publish by using ISA Server. Important: To use CARP and to use Network Load Balancing efficiently, you must use ISA Server Enterprise Edition.

129 Understanding CARP Internet array.dll?Get.Info.v1 Web Proxy Client Server 2 Server 1 Server 3 Server 4 Server 5 Server 1 Server 2 Server 3 Server 4 Server 5 Array Membership List

130 ISA Server computers in an array use CARP to create a single logical cache. CARP is a routing algorithm that provides efficiency and prevents the duplication of cache content. CARP uses hash-based routing to determine the best path through an array to resolve a request. By using CARP, Web Proxy clients and downstream servers are able to determine the most efficient way to route a request. In addition, by using hash-based routing instead of queries to determine the location of cached information, CARP becomes faster and more efficient as more member servers are added to the array.

131 ISA Server uses CARP to provide efficient routing for Web requests as follows: An array membership list, which is maintained in Active Directory, tracks the servers in the array. Array members are notified when servers are added or removed from the array. Periodically, Web Proxy clients and downstream servers poll the array membership list and, if necessary, update it. Web Proxy clients send an array.dll?Get.Routing.Script request to the member server. Downstream servers send an array.dIl?Get.Info.v1 request to the member server.

132 When requesting an object, the Web Proxy client or the downstream server uses the array membership list and the hash function to determine which server should resolve the request. The request is then routed to the server that has the hash with the highest value. The server receiving the request checks if it should handle the request. If so, it sends the request to the Internet host. If not, it sends the request to another array member. Forwarding to another array member transparently allows clients that cannot use CARP to get the benefits of distributed caching.

133 Note: The hash is a value that is derived from the URL of the Web request and the server properties. ISA Server uses this value to determine which ISA Server computer caches a given URL. Similarly, Web Proxy clients that support CARP use the same formula to determine which ISA Server computer in an array may hold a cached copy of the object. Because both the client computer and the array members use the same formula to determine the hash value for a given URL, there is a high likelihood that the ISA Server computer that the client contacts does indeed cache that URL. Using this mechanism instead of a central directory causes less network traffic and processor usage for both the Web Proxy clients and ISA Server computers. For more information about CARP, see the white paper "Cache Array Routing Protocol and Microsoft Proxy Server 2.0" under Additional Reading on the Student Materials compact disc. The implementation of CARP in ISA Server is identical to the implementation in Proxy Server 2.0.

134 Configuring CARP LONDON Properties OKCancel Add… Apply GeneralOutgoing Web RequestsIncoming Web Requests PoliciesAuto DiscoveryPerformanceSecurity Use the same listener configuration for all internal IP addresses. Configure listeners individually per IP address Identification Enable SSL listeners ServerIP AddressDisplay N…Authentic…Server C… LONDON<All inter…Integrated Remove Edit… TCP port:8080 SSL port:8443 Configure… Ask unauthenticated users for identification Resolve requests within array before routing Connections Connection settings Select to enable CARP. LONDON Properties OKCancelApply GeneralArray Memberships Use this IP address for intra-array communication: Intra-array communication 131. 107. 3. 1 Find… Specify the load factor for this server. This number indicates the relative cache availability of this server compared to the rest of the array members: Load Factor 100 Type a number to set the load factor.

135 You can enable CARP separately for incoming and outgoing Web requests. By default, ISA Server enables CARP for outgoing Web requests and disables CARP for all incoming Web requests. You can also distribute the cache load by configuring the load factor for any ISA Server computer in an array. For example, if a server has a larger disk or a fast processor, you can configure that server to receive more of the cache load by increasing its load factor.

136 To enable CARP: 1. In ISA Management, in the console tree, right-click the applicable array, and then click Properties. 2. On the Incoming Web requests tab or on the Outgoing Web requests tab, select the Resolve requests within array before routing check box, and then click OK. Enabling CARP

137 The load factor for an ISA Sever computer indicates the share of caching based on the total of the load factors of all servers in the array. To configure the load factor: 1. In ISA Management, in the console tree, click Computers. 2. In the details pane, right-click the applicable computer, and then click Properties. 3. On the Array Membership tab, under Load factor, type the load factor, and then click OK. Important: When a member server of an array sends a request to another member server, it uses the intra-array IP address of a server. This address must be an internal IP address. Configuring the Load Factor

138 Understanding Network Load Balancing Internet Cache ISA Server Array Published Server Cache

139 You can use the Network Load Balancing component of Windows 2000 Advanced Server to share the publishing of internal servers between multiple ISA Server computers. Important: Network Load Balancing is available with only Windows 2000 Advanced Server.

140 Network Load Balancing distributes incoming Transmission Control Protocol/Internet Protocol (TCP/IP) traffic between multiple servers by enabling all of the computers in the cluster to be accessed by using a unique, dedicated IP address. When you use Network Load Balancing for incoming Web requests, all client computers connect to the same IP address. Network Load Balancing then distributes requests that arrive at this IP address to multiple ISA Server computers. Network Load Balancing uses a mechanism that is similar to CARP to distribute client requests between different servers. However, unlike CARP, this process is completely transparent to the clients.

141 Note: You can also achieve load balancing by configuring DNS for round-robin lookups. Configuring DNS for round-robin lookups is easier than configuring Network Load Balancing, but Network Load Balancing provides more efficient load balancing and fault tolerance.

142 For best performance and for ease of administration, ensure that all members of the Network Load Balancing cluster are members of the same ISA Server array. Note: For more information about Network Load Balancing, see "Using Network Load Balancing" in ISA Server Help, the white paper entitled "Network Load Balancing Technical Overview" under Additional Reading on the Student Materials compact disc, and "Network Load Balancing" in the Windows 2000 Server Resource Kit.

143  Extending and Automating ISA Server Functionality Automating Administration Tasks Extending Functionality By Using Filters

144 Security policies, network traffic, and content formats vary from organization to organization. To meet the unique security and performance needs of a large organization, ISA Server is extensible. Several third- party vendors offer compatible and complementary solutions that extend and integrate with ISA Server. You can also automate many ISA Server administration tasks by using scripts.

145 Important: You can gain benefits from using ISA Server's extensibility and automation features whether you use the Standard Edition or the Enterprise Edition. Note: The ISA Server Software Development Kit (SDK) is included on the ISA Server compact disc. For more information about third-party offerings, see the Microsoft ISA Server Web site at http://www.microsoft.com/isaserver/ http://www.microsoft.com/isaserver/

146 Automating Administration Tasks Using the ISA Server SDK Extending ISA Management Managing Cache Content Adding Custom Events and Alerts

147 You can use scripting to automate many of the administration tasks of ISA Server. Scripting allows you to use ISA administration objects to gain access to and control policies and configuration settings for an enterprise, an ISA Server array, or a stand-alone server. You can use the same script multiple times to automate repetitive tasks or to apply the same configuration settings to multiple stand-alone servers or arrays. Note Scripting requires some basic familiarity with a scripting language, such as Microsoft Visual Basic® Scripting Edition (VBScript) or Microsoft Jscript®, or a programming language, such as Microsoft Visual C++® or Microsoft Visual Basic.

148 Documentation for creating administration scripts is included in the ISA Server SDK, which you can install from the \sdk directory on the ISA Server compact disc. The SDK also contains required run-time libraries, sample scripts and applications, and information about ISA Server architecture and internals. Using the ISA Server SDK

149 An example of a simple script that adds a site and content rule to an enterprise policy is as follows: Set ISA = CreateObject("FPC.Root") Set EnterprisePolicy = ISA.Enterprise.EnterprisePolicies(“Policy For All Employees") Set SiteAndContentRules = EnterprisePolicy.SiteAndContentRules Set SiteAndContentRule = SiteAndContentRules.Add ("Allow Internet Access") SiteAndContentRule.Description = "Allow Internet access to all employees" SiteAndContentRule.Action = fpcRuleActionPermit SiteAndContentRule.Save

150 You can extend ISA Management by creating context- sensitive menu extensions, adding extension snap-ins to ISA Management, and adding tasks to ISA Management Taskpads. Note: For more information about how to perform these tasks, see "Extending ISA Management" in the ISA Server SDK documentation. Extending ISA Management

151 You can manage all of the cache content in ISA Server programmatically. For example, you could create an application that places objects into the cache from storage media, such as a CD-ROM. By using storage media, you can pre-load the cache to give users access to data even when no connection to the Internet is available for extended periods or where preloading the cache from the Internet would create unacceptable amounts of network traffic. Managing Cache Content

152 You can create custom events and alerts by using scripts. For example, you can create an alert that is triggered when a specific connection sequence occurs that indicates an intrusion attempt. You can also create a custom alert. For example, you could create an alert that signals a specialized application to send a pre-recorded telephone message to administrators. Adding Custom Events and Alerts

153 Extending Functionality By Using Filters Creating Application Filters Creating Web Filters

154 You can enhance ISA Server functionality by installing filters developed by third-party vendors. You can also create your own filters. The ISA Server SDK contains information about how to do this and contains several samples of how to create filters. Finally, by using the programming interfaces of ISA Server, you can customize many built-in features of ISA Server. To create application filters or Web filters, use Visual C++. Visual Basic, Java, and scripting languages are not suitable for creating such filters. Note: For more information about how to perform these tasks, see the ISA Server SDK.

155 2. Application filters work with the Microsoft Firewall service of ISA Server to intercept and process data. Application filters can gain access to the data stream or specific datagrams that are associated with a session in the Firewall service. An application filter can perform protocol-specific tasks or system-specific tasks, such as authentication and checking for viruses. For example, the SDK contains an application filter sample that blocks the transmission of program files by using the FTP protocol. Creating Application Filters

156 Web filters work with the Microsoft Web Proxy service to perform tasks on Web objects that the Web Proxy service processes. You can create Web filters to perform tasks such as: Scanning and modifying Web requests or responses. Implementing custom authentication schemes. Encrypting data. Logging data. Performing traffic analysis or other analysis tasks. Creating Web Filters

157 For example, you can create a Web filter that blocks access to Web pages that contain specific words. ISA Server implements Web filters as Internet Server Application Programming Interface (IS API) applications. If you use IS API programming to create ISAPI applications for Internet Information Services (IIS), you will be able to use these same skills to create Web filters for ISA Server.

158 Lab A: Configuring ISA Server for the Enterprise

159 Exercise 1: Configuring Auto Discovery In this exercise, you will configure DNS and DHCP to enable Auto Discovery for ISA Server clients.

160 Exercise 1: Scenario When you installed ISA Server, you configured the client computers to use the ISA Server computer for Internet access. This configuration works well most of the time, but it takes much of your time to configure new client computers and troubleshoot connection problems with existing clients. To reduce the time that it takes to support ISA Server clients, you decide to configure ISA Server Auto Discovery.

161 Exercise 2: Installing the ISA Server Schema Update In this exercise, you will install the ISA Server schema update.

162 Exercise 2: Scenario Northwind Traders has experienced rapid growth in its network infrastructure and performance monitoring shows heavy usage of your ISA Server computer. You have decided to improve performance for Internet access by using an ISA Server array. Before you can create an ISA Server array, you must install the ISA Server Active Directory schema update.

163 Exercise 3: Promoting an Array In this exercise, you will promote a stand-alone ISA Server computer to an array.

164 Exercise 3: Scenario After you have installed the schema update, you can create an ISA Server array for Northwind Traders. To preserve most of the configuration settings that you have performed on your stand­alone ISA Server computer, you will promote the stand-alone server to an array.

165 Exercise 4: Creating Enterprise Policies and Array Policies In this exercise, you will create enterprise policies and array policies.

166 Exercise 4: Scenario After you have promoted the stand-alone ISA Server computer to an array, you must configure the rules that are required to implement the Internet access policy of Northwind Traders. The first rule is a rule that allows administrators to gain access to the Internet to test the array.

167 Adding an ISA Server Computer to an Array In this exercise, you will add an ISA Server computer to an array.

168 Scenario After you have configured the ISA Server array at Northwind Traders, you will add another ISA Server computer to the array to provide the scalability and fault tolerance that an array provides.

169 Review Introducing ISA Server Enterprise Edition Installing ISA Server in the Enterprise Using Enterprise Policies and Array Policies Managing Network Connections Scaling ISA Server Extending and Automating ISA Server Functionality

170 Appendix A: ISA Server Caching Criteria ISA Server uses several criteria when determining which objects to cache and how to cache them. This appendix provides an overview of the caching criteria used by ISA Server.

171 HTTP Caching ISA Server uses the following criteria when caching HTTP objects:

172 HTTP Caching (continued) HTTP Methods. The Request Method must be an HTTP GET. Otherwise, ISA Server bypasses the cache mechanism. An exception is the case of negative caching. If the request is an HTTP PUT or an HTTP DELETE, ISA Server purges obsolete data from the cache. Dynamic Content. By default, ISA Server does not cache dynamic content, which is defined as URLs that contain a "?." If you enable caching of dynamic content, ISA Server caches the object only if the response header contains an Always Cache meta-tag. This scenario hardly occurs, and for performance reasons, you should carefully evaluate caching of dynamic content. HTTP Request Headers. ISA Server bypasses the caching mechanism for objects with certain request headers.

173 HTTP Caching (continued) The following request headers cause ISA Server to bypass the caching mechanism entirely. ISA Server does not look for the object in its cache and does not store the response. Cache-control: no-store Authorization (An exception to this rule occurs if the Web server explicitly allows caching by sending a cache- control: public, s-maxage, or must-revalidate header.)

174 HTTP Caching (continued) The following request headers cause ISA Server to bypass the cache when retrieving the object, but ISA Server may cache the response for future use: Cache-control: no-cache (The object must be validated again during subsequent requests.) Pragma: no-cache (The object must be validated again during subsequent requests.) If-Match If-Unmodified-Since If-Range

175 HTTP Caching (continued) The following request headers allow the client to override the default cache expiration behavior on a per- request basis: Cache-Control: max-age Cache-Control: min-fresh Cache-Control: max-stale Cache-Control: only-if-cached.

176 HTTP Caching (continued) HTTP Response Codes. By default, ISA Server only caches responses with the following HTTP response codes: 200 success 203 non-authoritative information 300 multiple choices 301 moved permanently 410 gone

177 HTTP Caching (continued) HTTP Response Headers. ISA Server always caches objects with the following HTTP response headers: Cache-Control: public Cache-Control: max-age Cache-Control: proxy-revalidate Cache-Control: must-revalidate

178 HTTP Caching (continued) ISA Server never caches objects with the following HTTP response headers: Cache-Control: no-cache Cache-Control: no-store Cache-Control: private Pragma: no-cache Set-cookie WWW-Authenticate Note: ISA Server caches objects with a WWW-Authenticate header only if the response also contains a Cache-Control: public header. This combination of headers is extremely rare. In all other cases, if a single response contains of the headers that cause ISA Server to cache the object and one of the headers that cause ISA Server to not cache the object, ISA Server does not cache the object.

179 HTTP Caching (continued) Vary header. Web servers use the Vary header to indicate the presence of multiple versions of an object with the same URL. The version that is returned depends on one or more request headers that are specified as arguments to the Vary header. ISA Server can store multiple versions of the same object in its cache with the following implementation limitations: The object can vary on only one request header. The varying header name cannot be longer than 31 characters. The limitation refers to the header name such as "User-Agent," not the value. ISA Server reduces the maximum URL length by the size of the varying header and its value.

180 HTTP Caching (continued) Headers added by the ISA Server for caching, ISA Server adds the Age header to all objects served from the cache. The Age header indicates how long the object has been in the cache without ISA Server having revalidated the object. The information in the Age header can be useful when you troubleshoot reported caching problems or when you must know whether an object was cached. ISA Server also adds the Warning header on rare, appropriate occasions when required by the HTTP specifications.

181 HTTP Caching (continued) Download Errors. If there is an error downloading an object that is being written to the cache, ISA Server deletes the object from the cache. Such an error can be caused by the client disconnecting before the download is complete. Cache Filters. You can configure routing rules that disable caching for certain requests. You can use such routing rules for Web sites that users gain access to by using a fast network connection. For more information on routing rules, see Module 9, "Configuring ISA Server for an Enterprise," in course 2159A, Deploying and Managing Microsoft ISA Server 2000.

182 Caching Myths Microsoft Product Support Services (PSS) has identified a number of common misconceptions about the caching mechanism that ISA Server uses. The following factors do not affect caching: URLs containing the strings such as cgi or cgi-bin. ASP pages or other content that is dynamically created on the Web server. Responses that don't contain a Last-Modified date. ISA Server only caches responses without a Last-Modified date if you configure ISA Server to do so. META tags within HTML. Most Web servers do not move META tags from the HTML code to the HTTP headers. The type of object, such as if the object is a file other than a Web page.

183 FTP Caching Because FTP servers do not return the helpful information that Web servers do, FTP caching is much simpler. ISA Server caches all FTP responses for a fixed period of time that you specify by using ISA Management.

184 Active Caching The operations of active caching depend on three factors:

185 Active Caching (continued) Time of last object access. When you configure active caching, ISA Server retrieves Web objects with a Time- to-Live (TTL) that is close to expiring. When you configure ISA Server to perform active caching less frequently, ISA Server actively retrieves Web objects only if a user recently requested the object. When you configure ISA Server to perform active caching more frequently, ISA Server actively retrieves Web objects even if more time has passed since a user last requested the object.

186 Active Caching (continued) System load. When ISA Server determines that the number of current client sessions is low, ISA Server updates the objects that are marked for active caching as soon as 50% of the object's current TTL has expired. As the number of current client sessions approaches the maximum number of client sessions that ISA Server allows, active caching only retrieves objects that have a TTL that is close to expiring.

187 Active Caching (continued) System performance. ISA Server contains several mechanisms that ensure that active caching does not place an undue burden on your computer's system performance.


Download ppt "Module 9: Configuring ISA Server for the Enterprise."

Similar presentations


Ads by Google