ISA Server 2004 UNLEASHED [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

ISA Server 2004 UNLEASHED [Electronic resources] - نسخه متنی

Michael Noel

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Sitemap

Table of Contents

Copyright

About the Author

Acknowledgments

We Want to Hear from You!

Introduction

The Target Audience of This Book

The Organization of This Book

Conventions Used in This Book

Part I. Designing, Exploring, and Understanding ISA Server 2004

Chapter 1. Introducing ISA Server 2004

Understanding the Need for ISA Server 2004

Detailing the Additional Advantages of ISA Server 2004

Understanding the History of ISA Server 2004

Exploring the New Features of ISA Server 2004

Detailing Deployment Strategies with ISA Server 2004

Augmenting an Existing Security Environment with ISA Server 2004

Administering and Maintaining an ISA Server 2004 Environment

Using ISA Server 2004 to Secure Applications

Summary

Best Practices

Chapter 2. Installing ISA Server 2004

Reviewing ISA Server 2004 Prerequisites

Procuring and Assembling ISA Hardware

Building Windows Server 2003 as ISA''s Operating System

Determining Domain Membership Versus Workgroup Isolation

Installing the ISA Server 2004 Software

Performing Post-Installation ISA Updates

Securing the Operating System with the Security Configuration Wizard

Summary

Best Practices

Chapter 3. Exploring ISA Server 2004 Tools and Concepts

Exploring the ISA Server 2004 Management Console

Configuring Networks with ISA Console Network Wizards and Tools

Exploring Firewall Policy Settings

Navigating the Monitoring Node Options

Working with the Virtual Private Networks Node

Examining the Cache Node Settings

Configuring Add-ins

Exploring the ISA General Node

Summary

Best Practices

Chapter 4. Designing an ISA Server 2004 Environment

Preparing for an ISA Server 2004 Design

Upgrading Existing ISA Server 2000 Systems to ISA Server 2004

Determining the Number and Placement of ISA Servers

Prototyping a Test ISA Server Deployment

Piloting an ISA Server Deployment

Implementing the ISA Server Design

Designing ISA Server 2004 for Organizations of Varying Sizes

Summary

Best Practices

Part II. Deploying ISA Server 2004

Chapter 5. Deploying ISA Server 2004 as a Firewall

ISA as a Full-Function Security Firewall

Multi-networking with ISA Server 2004

Defining ISA Firewall Networks

Reviewing and Modifying Network Rules

Understanding Firewall Policy Rules

Examining Advanced ISA Firewall Concepts

Summary

Best Practices

Chapter 6. Deploying ISA Server Arrays with ISA Server 2004 Enterprise Edition

Understanding ISA Server 2004 Enterprise Edition

Deploying the Configuration Storage Server (CSS)

Setting Up Enterprise Networks and Policies

Creating and Configuring Arrays

Installing and Configuring ISA Enterprise Servers

Configuring Network Load Balancing and Cache Array Routing Protocol (CARP) Support

Summary

Best Practices

Chapter 7. Deploying ISA Server as a Reverse Proxy in an Existing Firewall DMZ

ISA Server 2004 as a Security Appliance

Deploying Unihomed ISA Server 2004 Security Appliances

Configuring Existing Firewalls to Utilize ISA Server 2004 Reverse Proxy

Publishing and Securing Services in an Existing DMZ

Understanding Advanced ISA Security in Enterprise Environments

Summary

Best Practices

توضیحات
افزودن یادداشت جدید










Documenting the ISA Server 2004 Design






The process of designing an ISA Server environment can include multiple design decisions, various decision rationales, and specific implementation settings. It is often difficult, after the design is complete, to retain the knowledge of why particular decisions were made during the design process. Subsequently, one of the first and most important sets of documentation for an ISA environment relates to the design of the environment itself.



This type of documentation can take many forms, but typically involves a formal design document, a server as-built document, and specific information on configured rules and settings, which can be ascertained through the creation of a custom script. Examples of this type of script, which can be extremely valuable in the documentation of ISA settings, is provided in this section of the chapter.



For more information on designing an ISA Server environment, refer to Chapter 4, "Designing an ISA Server 2004 Environment."



Documenting the ISA Design Process






The first step in the implementation of an ISA Server 2004 environment is the development and approval of a design. Documenting this design contributes to the success of the project. The design document records the decisions made during the design process and provides a reference for testing, implementation, and support. The key components to a design document include





The goals and objectives of the project





The background or what led up to the design





The approach that will be used to implement the solution





The details of the end state of the project






Goals and objectives can be surprisingly hard to pin down. They need to be detailed and concrete enough to define the results that you want while staying at a high level. For instance, "reduce down time" is too vague to be considered a functional goal, whereas "implement Network Load Balancing with ISA Server 2004 Enterprise Edition to reduce downtime to less than one minute in the case of single server failure" is much more specific.



Including the background of meetings and brainstorming sessions that led up to the decisions for the end state of the project provides the groundwork for the detailed designs provided later in the document. For example, a decision may have been made "because the CEO wants it that way," which affects the post-migration environment. Other decisions may have come about after many hours of debates over the particulars and required technical research to come up with the "right" answer. Recording this level of information can be extremely useful in the future if performance issues are encountered or additional changes to the network are being considered.



The description of the end state to be implemented can be very high level or can drill down to more specific configurations of each server, depending on the document's audience. However, it is recommended that the design document not include step-by-step procedures or other details of how the process is to be accomplished. This level of detail is better handled, in most cases, in dedicated configuration or training documents as discussed later in this chapter.



Formalizing ISA Server Configuration with As-Built Documentation






The configuration document, often referred to as an as-built, details a snapshot configuration of the ISA Server 2004 system as it is built. This document contains essential information required to rebuild a server.



One way to create an as-built document is to export settings on a server using tools such as the script illustrated in the next section of this chapter and with built-in Windows utilities such as WinMSD. WinMSD is a simple export utility that is included in the base Windows operating system, and exports server-specific settings to a text file. This data can then be imported into formal documentation easily.



To export the configuration of an ISA Server using WinMSD, perform the following steps:






1.





Log in to the ISA Server as a local administrator.





2.





Go to Start, Run, and type winmsd and click Run.





3.





From the System Information dialog box, shown in Figure 20.1, go to File, Export.





Figure 20.1. Using WinMSD to export Windows settings for ISA documentation.



[View full size image]









4.





Enter a name and a location for the exported text file and click Save.






After the specific settings on an ISA server have been acquired, they can be formalized into as-built documentation. The following is an example of an ISA Server 2004 as-built document template:




Introduction
The purpose of this ISA Server 2004 as-built document is to assist an
experienced network administrator or engineer in restoring the server in the
event of a hardware failure. This document contains screen shots and
configuration settings for the server at the time it was built. If settings
are not implicitly defined in this document, they are assumed to be set to
defaults. It is not intended to be a comprehensive disaster recovery plan with
step-by-step procedures for rebuilding the server. For this document
to remain useful as a recovery aid, it must be updated as configuration
settings change
System Configuration
Hardware Summary
Disk Configuration
Physical Disk Configuration
Logical Disk Configuration
System Summary
Device Manager
RAID Configuration
TCP/IP Configuration
ISA Configuration
Networks       Network Rules
Firewall Policy Rules
VPN Configuration
Antivirus Configuration
Add-Ons



Documenting Specific ISA Configuration with Custom Scripting






The ISA Server Console gives easy view access to firewall policy rules, network rules, VPN configuration, and other ISA settings. Although individual elements and entire configurations can be exported for backup or migration purposes, there is no built-in way to export these settings to simple text format for documentation purposes.



Fortunately, the ISA Server development team included a relatively straightforward scripting mechanism called the FPC object that allows for the export of ISA settings to text, CSV, or other formats. This enables administrators with scripting knowledge to generate documentation from an ISA server easily, without having to decipher the XML export files. For more information about the FPC object, reference the following Microsoft website:



http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isa/isaobj1_97lg.asp



The following custom script gives an example of the type of capabilities that the FPC object can give an administrator who is tasked with the documentation of ISA rules. It exports the ISA Firewall Policy rules on the local server on which it is run. All the rules information is exported to a CSV file, such as the one shown in Figure 20.2.





Figure 20.2. Examining the CSV file that the ISA documentation custom script generates.



[View full size image]









NOTE



The isaconfig.wsf script, along with others referenced in this book, can be downloaded from the Sams Publishing website.



This particular script can be run by executing the following command from the directory where the script is located:




Cscript isaconfig.wsf /path:C:



Listing 20.1 shows the code for the custom documentation script.



Listing 20.1. Examining the isaconfig.wsf Documentation Script




[View full width]




<?xml version="1.0" ?>
<package>
<job id="isaconfig">
<runtime>
<description>
************************************************************
ISA Configuration Report Job
************************************************************
</description>
<named name="path" helpstring="The UNC or file path you want to export the
 configuration report to."type="string" required="1" />
<named name="silent" helpstring="Runs script in silent mode." type="simple"
 required="0" />
<example>
Example:
cscript isaconfig.wsf /path:"\\remoteserver\sharename"
cscript isaconfig.wsf /path:"c:\isainfo"
</example>
</runtime>
<form>
</form>
<script language="VBScript">
<![CDATA[
'===================================================================
' Comments about the script
'===================================================================
' This script uses the FPC object to produce a report of the policies in an
' ISA configuration.  As currently written, this script can be run only on the
' local ISA server that you are trying to export the configuration from.
In conjunction with the FPCArray object the
' script can be modified to produce a script that would allow for a centralized
' report of all ISA servers in an organization.
'
' It is also important to note that this script was developed in an effort to
' try to give a visual representation of the policy configuration that is
' present on an ISA server.  Not all the elements that are in a policy are
' represented in the report.  The report is therefore not a complete
' configuration and should be used only to document the current policies that
' are in place.
'
' To expand upon the script and for more information about the FPC object
' please see the following URL:
'
' http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isasdk /isa/fpc_object.asp
'
' Please note that in all cases usage of the FPC object is limited to a
' server that has ISA 2004 or greater installed on it.
'
'===================================================================
' Check args
'===================================================================
If WScript.Arguments.Named.Exists("path") = FALSE Then
WScript.Arguments.ShowUsage()
WScript.Quit
End If
Const ForWriting = 2
Dim FSO, WSHNetwork
Dim objLogFile
Dim strPath
Dim strFileName
Dim dtmThisMinute, dtmThisHour
Dim dtmThisDay, dtmThisMonth, dtmThisYear
Set WSHNetwork = CreateObject("WScript.Network")
strPath = WScript.Arguments.Named("path")
Set FSO = CreateObject("Scripting.FileSystemObject")
dtmThisMinute = PadDigits(Minute(Now), 2)
dtmThisHour = PadDigits(Hour(Now), 2)
dtmThisDay = PadDigits(Day(Now), 2)
dtmThisMonth = PadDigits(Month(Now), 2)
dtmThisYear = Year(Now)
strFileName = WSHNetwork.ComputerName & "-" & dtmThisYear & "-" & dtmThisMonth & "-" &_
dtmThisDay & "-" & dtmThisHour & "-" & dtmThisMinute & ".csv"
Set objLogFile = FSO.OpenTextFile(strPath & "\" & strFileName, ForWriting, true)
Dim objRoot   ' The FPCLib.FPC root object
Dim isaArray  ' An FPCArray object
Set objRoot = CreateObject("FPC.Root")
Set isaArray = objRoot.GetContainingArray()
'--------------------
' Write Headers
'--------------------
objLogFile.Write("Order")
objLogFile.Write(",")
objLogFile.Write("Name")
objLogFile.Write(",")
objLogFile.Write("Action")
objLogFile.Write(",")
objLogFile.Write("Type")
objLogFile.Write(",")
objLogFile.Write("Protocols")
objLogFile.Write(",")
objLogFile.Write("From/Listener")
objLogFile.Write(",")
objLogFile.Write("To")
objLogFile.Write(",")
objLogFile.Write("Condition")
objLogFile.WriteLine()
For Each Policy in isaArray.ArrayPolicy.PolicyRules
objLogFile.Write(Policy.Order)
objLogFile.Write(",")
objLogFile.Write(Policy.Name)
objLogFile.Write(",")
strPolicyAction = Policy.Action
If strPolicyAction = 0 Then
objLogFile.Write("Allow")
Else
objLogFile.Write("Deny")
End If
objLogFile.Write(",")
strPolicyType = Policy.Type
'--------------------
' Policy Type Cases
'--------------------
' There are three basic ISA Policy Types (Access Rule, Server Publishing Rule,
' Web Publishing Rule)
Select Case strPolicyType
Case "0"
objLogFile.Write("Access Rule")
objLogFile.Write(",")
'--------------------
' Get Protocol Information
'--------------------
j = 1
strProSelctMethod = Policy.AccessProperties.ProtocolSelectionMethod
If strProSelctMethod = 0 Then
objLogFile.Write("All Outbound Taffic")
ElseIf strProSelctMethod = 2 Then
objLogFile.Write("All Except:")
End If
For Each Item in Policy.AccessProperties.SpecifiedProtocols
objLogFile.Write(Item)
If j <> Policy.AccessProperties.SpecifiedProtocols.Count Then
objLogFile.Write("; ")
End IF
j = j + 1
Next
objLogFile.Write(",")
'--------------------
' Get Source Network Information
'--------------------
GetNet(Policy.SourceSelectionIPs)
'--------------------
' Get Destion Network Information
'--------------------
GetNet(Policy.AccessProperties.DestinationSelectionIPs)
'--------------------
' Get Conditions
'--------------------
GetConditions(Policy.AccessProperties.UserSets)
Case "1"
objLogFile.Write("Server Publishing Rule")
objLogFile.Write(",")
'--------------------
' Get Published Protocol
'--------------------
objLogFile.Write(Policy.ServerPublishingProperties.PublishedProtocol)
objLogFile.Write(",")
'--------------------
' Get Source Network Information
'--------------------
GetNet(Policy.SourceSelectionIPs)
'--------------------
' Get Published Server
'--------------------
objLogFile.Write(Policy.ServerPublishingProperties.PublishedServerIP)
Case "2"
objLogFile.Write("Web Publishing Rule")
objLogFile.Write(",")
'--------------------
' Get Web Server Type
'--------------------
strWebPubType = Policy.WebPublishingProperties.PublishedServerType
If strWebPubType = 0 Then
objLogFile.Write("HTTP")
ElseIf strWebPubType = 1 Then
objLogFile.Write("HTTPS")
ElseIf strWebPubType = 2 Then
objLogFile.Write("HTTP & HTTPS")
ElseIf strWebPubType = 3 Then
objLogFile.Write("FTP")
End If
objLogFile.Write(",")
'--------------------
' Get Web Listener
'--------------------
objLogFile.Write(Policy.WebPublishingProperties.WebListenerUsed)
objLogFile.Write(",")
'--------------------
' Get Published Web Site Name
'--------------------
objLogFile.Write(Policy.WebPublishingProperties.WebSite)
objLogFile.Write(",")
'--------------------
' Get Conditions
'--------------------
GetConditions(Policy.WebPublishingProperties.UserSets)
Case Else
End Select
objLogFile.WriteLine()
Next
If WScript.Arguments.Named.Exists("silent") = FALSE Then
WScript.Echo("Finished export to " & strPath & "\" & strFileName)
End If
'===================================================================
' Functions
'===================================================================
'--------------------
' Pad Digits
'--------------------
' This function is used to pad date variables that contain only one digit.
Function PadDigits(n, totalDigits)
If totalDigits > len(n) then
PadDigits = String(totalDigits-len(n),"0") & n
Else
PadDigits = n
End If
End Function
'--------------------
' Get Conditions
'--------------------
' This function is used to get the conditions of a rule.
Function GetConditions(ObjectPath)
Dim objConditions, objConditionsDict
Set objConditions = ObjectPath
Set objConditionsDict = CreateObject("Scripting.Dictionary")
j = 1

For Each Item in objConditions
objConditionsDict.Add j, Item
j = j + 1
Next
j = 1
For Each Condition in objConditionsDict
objLogFile.Write(objConditionsDict.item(Condition))
If j <> objConditionsDict.Count Then
objLogFile.Write("; ")
End If
j = j + 1
Next
Set objConditionsDict = Nothing
Set objConditions = Nothing
End Function
'--------------------
' Get Network Information
'--------------------
' This function is used to get the network information for a rule.
Function GetNet(ObjectPath)
Dim objNet, objNetDict
Set objNet = ObjectPath
Set objNetDict = CreateObject("Scripting.Dictionary")
j = 1
For Each Item in objNet.AddressRanges
objNetDict.Add j, Item
j = j + 1
Next
For Each Item in objNet.Computers
objNetDict.Add j, Item
j = j + 1
Next
For Each Item in objNet.ComputerSets
objNetDict.Add j, Item
j = j + 1
Next
For Each Item in objNet.Networks
objNetDict.Add j, Item
j = j + 1
Next
For Each Item in objNet.NetworkSets
objNetDict.Add j, Item
j = j + 1
Next
For Each Item in objNet.Subnets
objNetDict.Add j, Item
j = j + 1
Next
j = 1
For Each Net in objNetDict
objLogFile.Write(objNetDict.item(Net))
If j <> objNetDict.Count Then
objLogFile.Write("; ")
End If
j = j + 1
Next
objLogFile.Write(",")
Set objNetDict = Nothing
Set objNet = Nothing
End Function
]]>
</script>
</job>
</package>




/ 191