Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

Similar presentations


Presentation on theme: "Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients."— Presentation transcript:

1 Module 2: Installing and Maintaining ISA Server

2 Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients Advanced Firewall Client Configuration Securing ISA Server 2004 Maintaining ISA Server 2004

3 Lesson: Installing ISA Server 2004 System and Hardware Requirements for ISA Server 2004 Installation Types and Components Configuration Choices During Installation How to Perform an Unattended Installation of ISA Server 2004 How to Verify an Installation of ISA Server 2004 Default Configuration for ISA Server 2004 How to Modify the ISA Server Installation Upgrade Options from ISA Server 2000 to ISA Server 2004

4 System and Hardware Requirements for ISA Server 2004 Windows Server 2000 or Windows Server 2003 Windows Server 2000 or Windows Server 2003 CPU RAM 256 MB500 MHz Hard Disk Format NTFS Hard Disk Space 150 MB Internal External

5 Installation Types and Components

6 Configuration Choices During Installation

7 Practice: Installing ISA Server 2004 Installing ISA Server 2004 Internet Den-ISA-01 Den-DC-01

8 How to Perform an Unattended Installation of ISA Server 2004 Why Use an Unattended Installation of ISA Server? Modifying the Msisaund.ini File [Setup Property Assignment] PIDKEY=xxxxxxxxxxxxxxxxxxxxxxxxx INTERNALNETRANGES=1 192.168.1.0-192.168.1.255 INSTALLDIR=C:\Program Files\Microsoft ISA Server COMPANYNAME=Coho Vineyards DONOTDELLOGS=1 DONOTDELCACHE=1 ADDLOCAL=MSFirewall_Management,MSFirewall_ Services,Message_Screener,MSDE [Setup Property Assignment] PIDKEY=xxxxxxxxxxxxxxxxxxxxxxxxx INTERNALNETRANGES=1 192.168.1.0-192.168.1.255 INSTALLDIR=C:\Program Files\Microsoft ISA Server COMPANYNAME=Coho Vineyards DONOTDELLOGS=1 DONOTDELCACHE=1 ADDLOCAL=MSFirewall_Management,MSFirewall_ Services,Message_Screener,MSDE Running an Unattended Setup D:\Setup.exe /V” /qn FULLPATHANSWERFILE= \”c:\MSISAUND.INI\””

9 How to Verify an Installation of ISA Server 2004 Verify that the ISA Server services are installed and started Verify that the MSDE services are installed and started Review the setup log files Check the Application Log in the Event Viewer Check for ISA Server Alerts

10 Only Administrators can modify firewall policies Traffic is routed between the ISA Server and all other networks Traffic between the Internal network, the VPN network, the VPN Quarantine network, and the Internet will use network address translation Traffic is routed between the VPN network and the Internal network Default Configuration for ISA Server 2004 System policy permits access to the ISA Server but access rules deny all network traffic through the ISA Server No servers are published Web Proxy requests will be retrieved directly from the Internet Caching is disabled A rule enabling access to the Firewall Client installation share is configured if you install the Firewall Client installation files Only Administrators can modify firewall policies Traffic is routed between the ISA Server and all other networks Traffic between the Internal network, the VPN network, the VPN Quarantine network, and the Internet will use network address translation Traffic is routed between the VPN network and the Internal network System policy permits access to the ISA Server but access rules deny all network traffic through the ISA Server No servers are published Web Proxy requests will be retrieved directly from the Internet Caching is disabled A rule enabling access to the Firewall Client installation share is configured if you install the Firewall Client installation files

11 Practice: Verifying the Installation and Default Configuration of ISA Server 2004 Verifying the successful installation of ISA Server 2004 Examining the default installation of ISA Server 2004 Internet Den-ISA-01 Den-DC-01

12 How to Modify the ISA Server Installation Options

13 Upgrade Options from ISA Server 2000 to ISA Server 2004 ISA Server 2000 Install ISA Server 2004 ISA Server 2000 Extract the ISA Server 2000 configuration Import the ISA Server Configuration Install ISA Server 2004 In-Place Upgrade Migration

14 Lesson: Choosing ISA Server Clients Types of ISA Server Clients How to Configure a SecureNAT Client How to Configure Web Proxy Clients Guidelines for Choosing an ISA Server Client

15 Types of ISA Server Clients Improves the performance of Web requests for internal clients Allows internet access only for authenticated users Does not require you to deploy client software ISA Server Internet Web Proxy ClientFirewall Client SecureNAT Client

16 SecureNAT clients do not require client installation or client configuration How to Configure a SecureNAT Client On a single subnet network, configure the IP address of the internal network interface as the SecureNAT client default gateway On a multiple subnet network, configure the IP address of the router as the SecureNAT client default gateway

17 How to Configure Web Proxy Clients

18 Guidelines for Choosing an ISA Server Client If you need to… Then use… Avoid deploying client software SecureNAT clients Use ISA Server only for forward caching SecureNAT or Web Proxy clients Allow access only for authenticated clients Firewall clients or Web Proxy clients Publish servers on your internal network SecureNAT clients Improve Web performance for non-Windows operating systems SecureNAT or Web Proxy clients

19 Internet Den-ISA-01 Den-DC-01 Practice: Configuring SecureNAT and Web Proxy Clients Configuring ISA Server to log client connections Configuring and testing a SecureNAT client Configuring and testing a Web Proxy client Den-Clt-01

20 Lesson: Installing and Configuring Firewall Clients How to Configure Firewall Client Settings The Firewall Client Installation and Configuration Process Options for Automating the Firewall Client Installation

21 How to Configure Firewall Client Settings

22 The Firewall Client Installation and Configuration Process The Firewall Client: Uses a common Winsock service provider that other Winsock applications use to connect to application servers Intercepts Winsock client application calls for remote application servers and redirects the request to ISA Server Uses a common Winsock service provider that other Winsock applications use to connect to application servers Intercepts Winsock client application calls for remote application servers and redirects the request to ISA Server Install the Firewall Client: From the Firewall Client share on computer running ISA Server or another network share

23 Practice: Installing the Firewall Client Configuring the Firewall Client settings on ISA Server Installing the Firewall Client Internet Den-ISA-01 Den-DC-01Den-Clt-01

24 Options for Automating the Firewall Client Installation SMS package distributed to specific clients using SMS Unattended installation Software package distributed using Group Policies

25 Lesson: Advanced Firewall Client Configuration Advanced Firewall Client Configuration Options Firewall Client Configuration Files What is the Automatic Discovery Feature?

26 Advanced Firewall Client Configuration Options Locallat.txt: A client computer-specific file that defines local addresses for that client The client uses its own routing table, the server- specific settings, and the Locallat.txt file to determine the local IP addresses A client computer-specific file that defines local addresses for that client The client uses its own routing table, the server- specific settings, and the Locallat.txt file to determine the local IP addresses Advanced Firewall Client settings: Can configure locally for each user and for each computer Configure changes to Firewall Client.ini files Can configure locally for each user and for each computer Configure changes to Firewall Client.ini files

27 Firewall Client Configuration Files Application.ini [FW_Client_App] Disable=0 NameResolution=R LocalBindTcpPorts=7777 LocalBindUdpPorts=7000-7022, 7100-7170 RemoteBindTcpPorts=30 RemoteBindUdpPorts=3000-3050 ServerBindTcpPorts=100-300 ProxyBindIp=80:192.168.10.20, 82:192.168.10.30 KillOldSession=1 Persistent=1 ForceCredentials=1 NameResolutionForLocalHost=L [FW_Client_App] Disable=0 NameResolution=R LocalBindTcpPorts=7777 LocalBindUdpPorts=7000-7022, 7100-7170 RemoteBindTcpPorts=30 RemoteBindUdpPorts=3000-3050 ServerBindTcpPorts=100-300 ProxyBindIp=80:192.168.10.20, 82:192.168.10.30 KillOldSession=1 Persistent=1 ForceCredentials=1 NameResolutionForLocalHost=L

28 What Is the Automatic Discovery Feature? Where is Lon-ISA-02? DNS or DHCP Server Den-ISA-01 Query DHCP or DNS for a WPAD entry Query DHCP or DNS for a WPAD entry WPAD: Den-ISA-01 Request Configuration File Firewall Client Configuration DNS or DHCP Server Den-ISA-01 Request Configuration File Firewall Client Configuration

29 Practice: Configuring Automatic Discovery Configure the ISA Server for Automatic Discovery Configure DHCP for Automatic Discovery Configure DNS for Automatic Discovery Internet Den-ISA-01 Den-DC-01 DNS Server DHCP Server Den-Clt-01

30 Lesson: Securing ISA Server 2004 ISA Server and Defense in Depth About Using Security Templates to Secure the Server Methods for Implementing Security Updates Guidelines for Enabling Only Required Services How to Secure the Network Interfaces Configuring Administrative Roles Best Practices for Securing the Server

31 User education Policies, Procedures, & Awareness ISA Server and Defense in Depth Security at all levels:  Increases an attacker’s risk of detection  Reduces an attacker’s chance of success Physical Security Guards, locks, tracking devices ACLs, encryption, EFS Application hardening, antivirus OS hardening, authentication, patch management, HIDS OS hardening, authentication, patch management, HIDS Network segments, IPSec, NIDS Firewalls, Network Access Quarantine Control Data Application Operating Systems Internal Network Perimeter

32 About Using Security Templates to Secure the Server Configure one security template and then apply it to multiple computers, or reapply the template occasionally to the same computers to ensure that the security settings are not changed Use the Security Templates MMC snap-in to apply the security templates to ISA Servers Apply the security template through Group Policies at a domain or organizational unit level

33 Monitor security updates is to know what security updates are available and the security issues each update is designed to fix Methods for Implementing Security Updates Use tools like Microsoft Baseline Security Analyzer, Windows Update Service, Microsoft Windows Update Services, and Systems Management Server to implement security updates Implement security updates on ISA Server only after thorough evaluation and testing

34 Guidelines for Enabling Only Required Services Enable only required services Minimize the number of Windows 2000 and Windows Server 2003 built-in services

35 How to Secure the Network Interfaces Secure the External Network Interface  Disable File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks  Disable NetBIOS over TCP/IP  Disable LMHOSTS lookup  Disable automatic DNS name registration Configure the Internal Network Interface  Disable components if not required

36 Configuring Administrative Roles Role Description ISA Server Basic Monitoring Monitor ISA Server and network activity Cannot configure monitoring functionality ISA Server Extended Monitoring Can perform all monitoring tasks Can modify monitoring configuration ISA Server Full Administrator Can perform all administrative tasks ISA Server Administrative Roles

37 Best Practices for Securing the Server Securing ISA Server Do Not Install ISA Server on a Domain Controller Avoid Installing an Internet Edge Server on a Domain Member Rename the Administrator Account Disable Unused Functionality Apply Window Server Security Best Practices Do Not Install ISA Server on a Domain Controller Avoid Installing an Internet Edge Server on a Domain Member Rename the Administrator Account Disable Unused Functionality Apply Window Server Security Best Practices

38 Practice: Securing the ISA Server Configuring Active Directory for Securing ISA Server Configuring Security on Den-ISA-01 Internet Den-ISA-01 Den-DC-01 Den-Clt-01

39 Lesson: Maintaining ISA Server 2004 About Monitoring the Server Running ISA Server About Exporting and Importing the ISA Server Configuration About Backing Up and Restoring the ISA Server Configuration Remote Administration Options for ISA Server

40 About Monitoring the Server Running ISA Server Task Description Monitor Event Viewer Includes information about service failures, application errors, and warnings Use the ISA Server Dashboard Single interface for ISA alerts and performance Review the ISA Server Alerts Includes information about service conditions and error conditions Monitor Connectivity to Network Services Monitor connectivity to Active Directory, DNS servers, internal Web servers, and selected Internet Web servers Monitor Server Performance Use the pre-configured ISA Server Performance Monitor console ISA Server monitoring tasks include

41 About Exporting and Importing the ISA Server Configuration Use export and import to clone an ISA Server or to save a configuration for troubleshooting or to roll back a configuration change You can export the entire ISA Server configuration, or any individual or group of configuration settings Importing a configuration overwrites all settings from the exported file

42 About Backing Up and Restoring the ISA Server Configuration Use back up to create a configuration file that can be used for disaster recovery Back up creates a file with the entire ISA Server configuration Restoring a back up overwrites all ISA Server settings

43 Remote Administration Options for ISA Server Use remote administration to manage physically secured servers or servers in other offices Use Remote Desktop or Terminal Services to manage all settings on the server running ISA Server Configure the server running ISA Server to enable Remote Desktop and configure System Policy to enable remote MMC management Use the ISA Server Management MMC to manage ISA Server settings remotely

44 Practice: Maintaining ISA Server 2004 Preparing the Client Computer for Remote Administration Preparing ISA Server for Remote Management Remotely administering ISA Server Internet Den-ISA-01 Den-DC-01Den-Clt-01

45 Lab: Installing and Configuring ISA Server 2004 Exercise 1: Performing an Unattended Installation of ISA Server 2004 Exercise 2: Migrating an ISA Server Configuration Exercise 3: Securing ISA Server 2004 Den-DC-01 Internet Den-ISA-01 Den-ISA-02


Download ppt "Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients."

Similar presentations


Ads by Google