Module 2 Installing and Maintaining ISA Server Overview

Module 2: Installing and Maintaining ISA Server

Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients Advanced Firewall Client Configuration Securing ISA Server 2004 Maintaining ISA Server 2004

Lesson: Installing ISA Server 2004 System and Hardware Requirements for ISA Server 2004 Installation Types and Components Configuration Choices During Installation How to Perform an Unattended Installation of ISA Server 2004 How to Verify an Installation of ISA Server 2004 Default Configuration for ISA Server 2004 How to Modify the ISA Server Installation Upgrade Options from ISA Server 2000 to ISA Server 2004

System and Hardware Requirements for ISA Server 2004 RAM Windows Server 2000 or Windows Server 2003 CPU 256 MB 500 MHz Hard Disk Format Hard Disk Space NTFS 150 MB Internal External

Installation Types and Components

Configuration Choices During Installation

Practice: Installing ISA Server 2004 Den-ISA-01 Den-DC-01 Internet

How to Perform an Unattended Installation of ISA Server 2004 Why Use an Unattended Installation of ISA Server? Modifying the Msisaund. ini File [Setup Property Assignment] PIDKEY=xxxxxxxxxxxxx INTERNALNETRANGES=1 192. 168. 1. 0 -192. 168. 1. 255 INSTALLDIR=C: Program FilesMicrosoft ISA Server COMPANYNAME=Coho Vineyards DONOTDELLOGS=1 DONOTDELCACHE=1 ADDLOCAL=MSFirewall_Management, MSFirewall_ Services, Message_Screener, MSDE Running an Unattended Setup D: Setup. exe /V” /qn FULLPATHANSWERFILE= ”c: MSISAUND. INI””

How to Verify an Installation of ISA Server 2004 Verify that the ISA Server services are installed and started Verify that the MSDE services are installed and started Review the setup log files Check the Application Log in the Event Viewer Check for ISA Server Alerts

Default Configuration for ISA Server 2004 Only Administrators can modify firewall policies Traffic between the Internal network, the A rule enabling access to the Firewall Caching is disabled Web Proxy requests will be retrieved System policy permits access to the Only Traffic Administrators is routed between modify the ISA firewall Server No servers arethe published Traffic isnetwork, routed between thecan ISA Server and all. ISA other Traffic is routed between the VPN VPN Quarantine Client installation share is configured if directly from the Internet Server but access rules deny all networks policies and all other networks network, and the Internal Internet network will use you install the Firewall Client installation traffic through the ISA Server Traffic the Internal network, the VPN network, network address translation filesbetween the VPN Quarantine network, and the Internet will use network address translation Traffic is routed between the VPN network and the Internal network System policy permits access to the ISA Server but access rules deny all network traffic through the ISA Server No servers are published Web Proxy requests will be retrieved directly from the Internet Caching is disabled A rule enabling access to the Firewall Client installation

Practice: Verifying the Installation and Default Configuration of ISA Server 2004 Verifying the successful installation of ISA Server 2004 Examining the default installation of ISA Server 2004 Den-ISA-01 Internet Den-DC-01

How to Modify the ISA Server Installation Options

Upgrade Options from ISA Server 2000 to ISA Server 2004 In-Place Upgrade Install ISA Server 2004 ISA Server 2000 Migration ISA Server 2000 Extract the ISA Server 2000 configurati on Import the ISA Server Configuration Install ISA Server 2004

Lesson: Choosing ISA Server Clients Types of ISA Server Clients How to Configure a Secure. NAT Client How to Configure Web Proxy Clients Guidelines for Choosing an ISA Server Client

Types of ISA Server Clients Does not require you to deploy client software Internet Secure. NAT Client ISA Server Web Proxy Client Improves the performance of Web requests for internal clients Firewall Client Allows internet access only for authenticated users

How to Configure a Secure. NAT Client Secure. NAT clients do not require client installation or client configuration On a single subnet network, configure the IP address of the internal network interface as the Secure. NAT client default gateway On a multiple subnet network, configure the IP address of the router as the Secure. NAT client default gateway

How to Configure Web Proxy Clients

Guidelines for Choosing an ISA Server Client If you need to… Then use… Avoid deploying client software Secure. NAT clients Use ISA Server only forward caching Secure. NAT or Web Proxy clients Allow access only for authenticated clients Firewall clients or Web Proxy clients Publish servers on your internal network Secure. NAT clients Improve Web performance Secure. NAT or Web for non-Windows Proxy clients operating systems

Practice: Configuring Secure. NAT and Web Proxy Clients Configuring ISA Server to log client connections Configuring and testing a Secure. NAT client Configuring and testing a Web Proxy client Den-ISA-01 Internet Den-Clt-01 Den-DC-01

Lesson: Installing and Configuring Firewall Clients How to Configure Firewall Client Settings The Firewall Client Installation and Configuration Process Options for Automating the Firewall Client Installation

How to Configure Firewall Client Settings

The Firewall Client Installation and Configuration Process The. Uses Firewall Client: Winsock service provider a common that other Winsock applications use to connect to application servers Intercepts Winsock client application calls for remote application servers and redirects the request to ISA Server Install the Firewall Client: From the Firewall Client share on computer running ISA Server or another network share

Practice: Installing the Firewall Client Configuring the Firewall Client settings on ISA Server Installing the Firewall Client Den-ISA-01 Internet Den-Clt-01 Den-DC-01

Options for Automating the Firewall Client Installation Software package distributed using Group Policies Unattended installation SMS package distributed to specific clients using SMS

Lesson: Advanced Firewall Client Configuration Options Firewall Client Configuration Files What is the Automatic Discovery Feature?

Advanced Firewall Client Configuration Options Locallat. txt: A client computer-specific file that defines local addresses for that client The client uses its own routing table, the server-specific settings, and the Locallat. txt file to determine the local IP addresses Advanced Firewall Client settings: Can configure locally for each user and for each computer Configure changes to Firewall Client. ini files

Firewall Client Configuration Files Application. ini [FW_Client_App] Disable=0 Name. Resolution=R Local. Bind. Tcp. Ports=7777 Local. Bind. Udp. Ports=7000 -7022, 7100 -7170 Remote. Bind. Tcp. Ports=30 Remote. Bind. Udp. Ports=3000 -3050 Server. Bind. Tcp. Ports=100 -300 Proxy. Bind. Ip=80: 192. 168. 10. 20, 82: 192. 168. 10. 30 Kill. Old. Session=1 Persistent=1 Force. Credentials=1 Name. Resolution. For. Local. Host=L

What Is the Automatic Discovery Feature? Where is Lon-ISA-02? Query DHCP or DNS for a WPAD entry DNS or DHCP Server WPAD: Den-ISA-01 Request Firewall Client Configuration File Den-ISA 01

Practice: Configuring Automatic Discovery Configure the ISA Server for Automatic Discovery Configure DHCP for Automatic Discovery Configure DNS for Automatic Discovery Den-ISA-01 Internet Den-Clt-01 Den-DC-01 DNS Server DHCP Server

Lesson: Securing ISA Server 2004 ISA Server and Defense in Depth About Using Security Templates to Secure the Server Methods for Implementing Security Updates Guidelines for Enabling Only Required Services How to Secure the Network Interfaces Configuring Administrative Roles Best Practices for Securing the Server

ISA Server and Defense in Depth Security at all levels: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Policies, Procedures, & Awareness Physical Security User education Guards, locks, tracking devices Data ACLs, encryption, EFS Application hardening, antivirus Operating Systems OS hardening, authentication, patch management, HIDS Internal Network segments, IPSec, NIDS Perimeter Firewalls, Network Access Quarantine Control

About Using Security Templates to Secure the Server Configure one security template and then apply it to multiple computers, or reapply the template occasionally to the same computers to ensure that the security settings are not changed Apply the security template through Group Policies at a domain or organizational unit level Use the Security Templates MMC snap-in to apply the security templates to ISA Servers

Methods for Implementing Security Updates Monitor security updates is to know what security updates are available and the security issues each update is designed to fix Use tools like Microsoft Baseline Security Analyzer, Windows Update Service, Microsoft Windows Update Services, and Systems Management Server to implement security updates Implement security updates on ISA Server only after thorough evaluation and testing

Guidelines for Enabling Only Required Services Enable only required services Minimize the number of Windows 2000 and Windows Server 2003 built-in services

How to Secure the Network Interfaces Secure the External Network Interface Disable File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks Disable Net. BIOS over TCP/IP Disable LMHOSTS lookup Disable automatic DNS name registration Configure the Internal Network Interface Disable components if not required

Configuring Administrative Roles ISA Server Administrative Roles Role ISA Server Basic Monitoring ISA Server Extended Monitoring ISA Server Full Administrator Description Monitor ISA Server and network activity Cannot configure monitoring functionality Can perform all monitoring tasks Can modify monitoring configuration Can perform all administrative tasks

Best Practices for Securing the Server Securing ISA Server Do Not Install ISA Server on a Domain Controller Avoid Installing an Internet Edge Server on a Domain Member Rename the Administrator Account Disable Unused Functionality Apply Window Server Security Best Practices

Practice: Securing the ISA Server Configuring Active Directory for Securing ISA Server Configuring Security on Den-ISA 01 Den-ISA-01 Internet Den-Clt-01 Den-DC-01

Lesson: Maintaining ISA Server 2004 About Monitoring the Server Running ISA Server About Exporting and Importing the ISA Server Configuration About Backing Up and Restoring the ISA Server Configuration Remote Administration Options for ISA Server

About Monitoring the Server Running ISA Server monitoring tasks include Task Description Monitor Event Viewer Includes information about service failures, application errors, and warnings Use the ISA Server Dashboard Single interface for ISA alerts and performance Review the ISA Server Alerts Includes information about service conditions and error conditions Monitor Connectivity to Network Services Monitor connectivity to Active Directory, DNS servers, internal Web servers, and selected Internet Web servers Monitor Server Performance Use the pre-configured ISA Server Performance Monitor console

About Exporting and Importing the ISA Server Configuration Use export and import to clone an ISA Server or to save a configuration for troubleshooting or to roll back a configuration change You can export the entire ISA Server configuration, or any individual or group of configuration settings Importing a configuration overwrites all settings from the exported file

About Backing Up and Restoring the ISA Server Configuration Use back up to create a configuration file that can be used for disaster recovery Back up creates a file with the entire ISA Server configuration Restoring a back up overwrites all ISA Server settings

Remote Administration Options for ISA Server Use remote administration to manage physically secured servers or servers in other offices Use Remote Desktop or Terminal Services to manage all settings on the server running ISA Server Use the ISA Server Management MMC to manage ISA Server settings remotely Configure the server running ISA Server to enable Remote Desktop and configure System Policy to enable remote MMC management

Practice: Maintaining ISA Server 2004 Preparing the Client Computer for Remote Administration Preparing ISA Server for Remote Management Remotely administering ISA Server Den-ISA-01 Internet Den-Clt-01 Den-DC-01

Lab: Installing and Configuring ISA Server 2004 Exercise 1: Performing an Unattended Installation of ISA Server 2004 Exercise 2: Migrating an ISA Server Configuration Exercise 3: Securing ISA Server 2004 Den-ISA-01 Internet Den-DC-01 Den-ISA-02