Working with Microsoft ISA server 2004

Working with Microsoft ISA Server 2004

SkillSoft Corporation. (c) 2006.

Introduction

About the Book

ISA Server 2004 provides secure, fast, and controllable Internet connectivity. ISA Server 2004

provides various ISA Server services, such as Job Scheduler and Firewall, to implement security on

the network. ISA Server provides a service called the Web cache solution. The Web cache stores

the Web content, which a client requests from the Web server, locally on the ISA Server computer

and sends the information to the client. ISA Server provides another complementary service called

the organizational firewall solution that prevents unauthorized Internet users from accessing your

organizational network.

About the Author

Chitrank Gautam

Chitrank Gautam holds a Bachelor's degree in Computer Science Engineering. He is proficient in

languages such as C, C++, C#, Visual Basic .NET, and Java. He has a sound knowledge of

databases, such as SQL Server and Oracle. He has also worked on Internet technologies, such as

HTML and ASP .NET. He has authored books and refrencepoints on .NET technologies.

Credits

I would like to thank Sushmita Chakraborty and Shruti Gupta for helping me complete the book on

time and providing continuous support and encouragement.

Copyright

Working with Microsoft ISA Server 2004

Copyright © 2006 by SkillSoft Corporation

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any

means, electronic or mechanical, including photocopying, recording, or by any information storage

or retrieval system, without the prior written permission of SkillSoft.

Trademarked names may appear in this publication. Rather than use a trademark symbol with every

occurrence of a trademarked name, we use the names only in an editorial fashion and to the benefit

of the trademark owner, with no intention of infringement of the trademark.

Published by SkillSoft Corporation

20 Industrial Park Drive

Nashua, NH 03062

(603) 324−3000

[email protected]

The information in this book is distributed on an "as is" basis, without warranty. Although every

precaution has been taken in the preparation of this work, neither the author nor SkillSoft shall have

any liability to any person or entity with respect to any loss or damage caused or alleged to be

caused directly or indirectly by the information contained in this work.

Chapter 1: Overview of Internet Security and

Acceleration Server 2004

Microsoft Internet Security and Acceleration (ISA) Server 2004 helps secure an Internet connection

and also improves the performance of Internet access. ISA Server provides various ISA Server

services, such as Job Scheduler and Firewall, to implement security on the network. It also provides

features, such as monitoring and Virtual Private Networks (VPN), to manage the Internet

connection. ISA Server also allows you to define rules to secure the network and protect it from

unauthorized access.

This chapter provides an overview of ISA Server 2004, and explains its various features. It also

explains the differences between the Standard and Enterprise versions of the software.

Introducing ISA Server 2004

ISA Server 2004 provides the firewall solution to secure the network of your organization. An

organizational firewall solution is useful for preventing the unauthorized Internet users from

accessing the organizational network. ISA Server also provides a Web cache solution to provide

fast access to the Internet. A Web cache fills requests from the Web server, stores the requested

information locally, and sends the information to the client. When the Web cache receives a request

for the same information again, it does not search the requested information on the Internet.

Instead, the Web cache returns the requested information from the cached data. This reduces

network traffic and the response time for Web access. In addition, ISA Server 2004 helps implement

business policies to secure the network. These business policies can be implemented by

configuring the rules that specify the Web sites, protocols, and information that can be passed

through an ISA Server 2004 computer.

ISA Server 2004 Architecture

ISA Server 2004 contains various communication layers to secure the organizational network. The

communication layers inspect the incoming and outgoing requests through ISA Server to ensure

secure communication among the networks. The communication layers are:

Packet filtering: Inspects the incoming and outgoing packets on a network to secure the

network. The data is first passed to the packet filtering layer, which determines the packets

that can pass through ISA Server.

•

Firewall service: Protects the network from unauthorized users. The data is passed to the

Firewall service layer after the packet filtering layer.

•

Web proxy: Processes ISA Server 2004 rules and determines whether or not a HTTP

request should be processed.

•

Figure 1−1 shows the architecture of ISA Server 2004:

Figure 1−1: The ISA Server 2004 Architecture

The components of the ISA Server 2004 architecture are:

Network Address Translation (NAT) driver: Performs the network address translation

process, which helps send and receive information by translating IP addresses of the client

computers.

•

Application filters: Allow you to use third−party filters, such as Surfcontrol Web Filter and GFI

Web Monitor, to extend the Firewall service. The Simple Mail Transfer Protocol (SMTP) and

FTP filters are some examples of application filters.

•

Clients: Represent the end−user computers that access ISA Server 2004. ISA Server

supports three types of clients:

Firewall clients: Are client computers with the Firewall Client software installed. The

Firewall clients use the Firewall service to access ISA Server.

♦

SecureNAT clients: Are client computers that do not have Firewall Client software

installed. SecureNAT clients use the Firewall service to access ISA Server.

♦

Web Proxy clients: Are computers on which Web applications are configured to use

ISA Server as a proxy server.

♦

•

ISA Server 2004 Features

ISA Server 2004 provides various features that help manage and secure Internet connections. The

key features of ISA Server 2004 are:

• Web Cache

• Multi−networking

• Security and firewall policy

• Virtual Private Networks

• Monitoring

• Add−Ins

• Enterprise Management

• Extensible Platform

Web Cache

ISA Server 2004 uses the Web cache to improve network performance. The various caching

features are:

The various caching features of ISA Server 2004 are:

Distributed caching: Enables you to configure ISA Server 2004 on multiple computers and to

use ISA Server 2004 computers as a logical cache. ISA Server 2004 uses Cache Array

Routing Protocol (CARP) to implement this feature.

•

Hierarchical caching: Enables you to set up a hierarchy of computer arrays hosting ISA

Server. This enables a network client to access the data cached at the nearest cache.

•

Scheduled caching: Enables the configuring and scheduling of ISA Server 2004 to provide

frequently requested Web content to the cache. You can use the Microsoft ISA Server 2004

Job Scheduler service to implement the scheduled caching feature.

•

Reverse caching: Enables external clients to access internal or published servers. You can

deploy ISA Server as a reverse caching server to cache all the data that the external clients

frequently request from your network's published Web servers. ISA Server fulfills all external

client requests using the cached data. If the requested content is not found in the Web

cache, ISA Server forwards the request to the Web server.

•

Forward caching: Enables internal clients to communicate with the Internet. You can deploy

ISA Server as a forward caching server to cache all frequently requested Web content. This

reduces the processing time to fulfill requests.

•

High performance Web caching: Uses the RAM cache and the Web cache to cache

frequently requested Web content. This improves Web performance when internal clients

access the Internet Web servers and Internet users access the internal Web server.

•

Multi−Networking

Multi−networking is the process of grouping the network of an organization into network sets. A

network set is a group of networks on which you can apply a rule to secure the networks in the

network set. Multi−networking restricts communication between the clients in an organization, which

helps ISA Server protect an organization's network against internal and external security threats.

For each network set on an internal network, ISA Server allows you to configure an access policy

and define its relationship with the other network sets. The relationship between two network sets

defines how computers on these two networks communicate with each other. As a result, the

multi−networking feature of ISA Server allows you to identify, configure, and define the connections

and relationships among computers on internal and external networks.

Multi−Networking Environment

The multi−networking environment of an organizational network consists of network sets that a

firewall or a router connects. Inbound and outbound communication with a network is allowed or

denied based on the access control configuration on the firewall or router. Figure 1−2 shows the

multi−networking environment:

Figure 1−2: Multi−Networking Environment

The perimeter network in the multi−networking environment is connected to the organizational

network and the Internet. Connectivity between the perimeter network and the other two networks

allows the clients on the organizational network and the Internet to access the resources on the

perimeter network.

Note A perimeter network is set up in isolation from both an organizational network and the

Internet. The perimeter networks protect an organizational network from access by external

users. The external users can access specific servers located on the perimeter network. A

perimeter network is also called a screened subnet or the demilitarized network.

Connectivity between the various network sets in the multi−networking environment are:

Clients on the organizational network can access the Internet but computers on the Internet

cannot access the clients on the organizational network.

•

• Clients on the organizational network can access the resources on the perimeter network.

• Clients on the Internet can access some resources on the perimeter network.

Network Access Policy

The network access policy defines the relationships among networks to specify whether the

networks can connect to each other. This policy also defines how the networks can connect to each

other. You can define network rules to set the level of access among the networks. Figure 1−3

shows the concept of the network access policy:

Figure 1−3: Network Access Policy

The relationships that network rules define among networks are:

Routing relationship: Defines a bi−directional relationship that allows traffic between

networks. In Figure 1−3, this relationship exists between the branch office and headquarters,

which is represented by Label 1.

•

NAT relationship: Defines unidirectional NAT relationships. In the figure, three NAT

relationships exist, which are:

Organizational network to perimeter network: Defines the unidirectional relationship

from the organizational network to the perimeter network.

♦

Organizational network to Internet: Defines the unidirectional relationship from the

organizational network to the Internet.

♦

Perimeter network to Internet: Defines the unidirectional relationship from the

perimeter network to the organizational network.

♦

•

Note You should define a routing relationship when you want to publish IP addresses for Web

publishing or publish a mail server and a NAT relationship when you do not want to expose

IP addresses.

Multi−Networking Features

The multi−networking features of ISA Server 2004 are:

Multiple network configuration: Allows you to separately configure each network with a

distinct relationship with other networks in a multi−networking environment.

•

Unique per−network policies: Ensures that any internal or external attacks, such as virus

attacks, do not affect a network. To ensure this, ISA Server limits communication among

clients. ISA Server's support for perimeter networks in multi−networking scenarios allows

you to configure the way various networks can access the perimeter network.

•

The routed and NAT network relationship: Allows you to define network relationships

according to your routing, transparency, and security requirements. The routed relationship

routes the traffic to ISA Server which is used when you require transparent and less−secure

communication between networks. The NAT relationship is used when you require secure

and less−transparent communication between networks.

•

Security and Firewall Policy

You can deploy ISA Server as a firewall to prevent unauthorized Internet users from accessing a

network. ISA Server monitors communication, including requests and responses, between the

Internet and the clients on a network. ISA Server 2004 uses monitoring to issue alerts on authorized

access to the network. This allows only authorized users to access the computers on a network. In

addition, monitoring communication allows you to limit Internet access to authorized clients on a

network.

ISA Server 2004 allows you to control both inbound and outbound access based on the firewall

policy. This policy allows you to define access controls based on user, group, application, source,

destination, content, protocol, port, and schedule. For example, you can define a firewall policy to

allow or deny access to a resource to clients. In addition, the firewall policy specifies the sites and

the content accessible for both inbound and outbound communication.

The various security and firewall policy features of ISA Server 2004 are:

Allows you to define access rules, which specify accessible sites and content from the

Internet and protocols to access these sites and content.

•

• Issues an alert on interference detection, such as an attack on a network.

Supports complex protocols, such as the ones that streaming media, voice applications, and

video applications, require. These applications require multiple primary connections.

•

Allows you to define a customized protocol definition. You can define firewall policy rules for

a protocol to manage the source and destination port numbers of that protocol. The protocol

definition also allows you to manage the packets flowing through firewall.

•

Allows you to define network objects, such as computers, network sets, and address ranges.

You can apply one firewall policy rule to all the computers on a network object.

•

Allows you to define firewall policy rules that are stored in an ordered list. ISA Server

compares the connection parameters of the connection with the connection parameters of

the rules in the order of their appearance on the ordered list. When ISA Server finds a rule

with an identical set of connection parameters, it enforces the policy of that rule. This

enables ISA Server to determine whether a connection is allowed or denied.

•

Supports FTP, which allows you to access the Internet FTP servers that are listening to

alternate port numbers. You do not need any special configuration on the client or the ISA

Server computer if the FTP port is allowed in the firewall policy of the client.

•

Provides port redirection for server publishing rules. A client request received at a port

number can be redirected to another port number on the published server.

•

Provides secure Web publishing. You can use Web Publishing Wizard for creating rules that

allow the remote users to access the published servers from a remote location using Secure

Socket Layer (SSL) connections. ISA Server allows you to place the servers behind the

firewalls on both the corporate network and a perimeter network to secure the services.

Placing servers behind firewalls allows you to securely publish the services of published

servers.

•

Provides user authentication and authenticates an end user who sends a Web request. The

various user authentication methods that ISA Server 2004 provides are:

Integrated authentication: Generates unique numbers, called a message digest or a

hash value, using a formula for the user name and the password before sending the

hashed value across the network. ISA Server 2004 uses the Kerberos V5

authentication protocol, the Windows NT LAN Manager (NTLM) authentication

protocol, or a challenge\response authentication protocol to authenticate users using

this method.

♦

Authentication using SSL client certificates: Encrypts and decrypts data to enable

privacy of all communication over the network.

♦

•

Digest authentication: Generates hash values for the user names, passwords, and

other data of HTTP clients.

♦

Advanced digest authentication: Generates hash values for user accounts in Active

Directory in a Windows Server 2003 domain. Active Directory is a directory service

that stores information, such as number of computers, devices, and users on the

network, to securely manage the network.

♦

Basic authentication: Encodes user names and passwords using the base−64

encoding method. You can decode the data related to authentication information

using any decoding utility. This is the default authentication method.

♦

ISA Server 2004 provides multilayered firewall security by filtering traffic at the packet, circuit, and

application levels. The three types of filtering for securing the network are:

Stateful packet filtering: Determines whether a packet can pass through network and

application−layer proxy services. Stateful packet filtering opens and closes ports

automatically for communication.

•

Circuit filtering: Allows you to access Internet protocols and services from multiple platforms

using application−transparent circuit gateways. Gateways are devices that connect networks

and use protocols for communication among these networks.

•

Application filtering and stateful inspection: Verifies whether or not the data in a packet is

valid. Application filtering evaluates the packets at the application layer and allows the

connection only if the data in the packet is valid.

•

Virtual Private Networks

VPN is a private network that a company uses for internal communication or by companies who use

to communicate over a public network. VPN messages use standard protocols for communication

over a private networking infrastructure. VPN connects branch offices or remote users to

organizational networks, enabling them to send data.

Two types of VPN connections are:

Remote access VPN connection: Allows remote clients to establish a remote access VPN

connection with a private network. Using this connection, a remote access client can access

a network attached to the VPN server.

•

Site−to−site VPN connection: Uses a site−to−site VPN connection that enables

communication among the offices of an organization.

•

VPN enables you apply a firewall policy to VPN connections to secure your network. The VPN

features of ISA Server 2004 include: