The New GUI: More Than Just a Pretty Interface - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید





















The New GUI: More Than Just a Pretty Interface





First, we'll look at the first thing the ISA user sees the graphical interface. There's no question that ISA 2004's interface is more intuitive than the ISA 2000 interface. Improving the user experience by making the interface friendlier was a major goal of the development team, and they've done a good job. It's easy for someone who isn't familiar with ISA 2000 to sit down at the ISA 2004 interface and click his or her way to performing many of the common firewall administrative tasks without consulting the Help file.





Examining the Graphical Interface






Figure 2.1 shows the ISA Server 2000 management GUI, and Figure 2.2 shows the new ISA Server 2004 GUI. As you can see, the former looks pretty much like any other Microsoft Management Console (MMC), with its simple left-pane tree and right details pane.














Figure 2.1: The ISA 2000 Interface - A Simple MMC














Figure 2.2: The ISA Server 2004 Management GUI - A Handy Three-part Tabbed Interface





The ISA Server 2004 console is much richer, with a three-pane window that still includes the familiar tree structure in the left pane, but gives you tabbed pages in the middle and right panes that make it easy to select the type of tasks you want to perform and get precise help in performing them. No longer do you have to click through dozens of dialog boxes within dialog boxes in order to find the configuration setting you want. Instead, common management tasks are, literally, at your fingertips. This point-and-click interface can easily be learned by any IT administrator, without extensive training.










Note





You can use the management console to connect to remote ISA servers as well as the local ISA Server. You can also install the management console on a workstation or non-ISA server and manage your ISA machines remotely. You select the ISA computer you want to manage by clicking Connect to Local or Remote ISA Server in the right console pane, on the Tasks tab.










Clicking the top node in the management console's left pane (labeled Microsoft Internet Security and Acceleration Server 2004) displays the Welcome page in the middle pane. This interface provides quick links to the following options:











The Getting Started Guide, an HTML document (Figure 2.3), provides detailed guidance for installing and configuring ISA Server 2004 and includes a 'Feature Walk-Through' that shows you scenarios for performing specific common tasks.














Figure 2.3: The ISA Server 2003 Getting Started Guide - Installation Instructions and a Features Walk-through











Best Practices for Securing your ISA Server takes you to the Security and Administration section of the ISA Server 2004 Help file. There is also a link to the Guides and Articles page on the ISA Server Website, http://www.microsoft.com/isaserver/techinfo/howto/, where you can find the most current version of the Security Best Practices document.











The Getting Started Page (not to be confused with the Getting Start Guide) provides a logically-organized task-driven list of steps that allow you to quickly and easily set up your ISA Server (discussed in the next section).











The Microsoft ISA 2004 Web site at www.microsoft.com/isaserver has product updates, customer support information, and the latest news about ISA Server.











Partner Products Web site offers an extensive list of third-party add-ons to enhance the functionality of ISA Server, with links to partner sites, case studies, and partner news and reviews.











Examining The Management Nodes






Depending on your selection in the left pane, the middle pane displays different clickable configuration items. The left pane nodes include:











ISA Server (Name) Top Node











Monitoring Node











Firewall Policy Node











Virtual Private Networks (VPN) Node











Configuration Node











The Configuration Node contains four subnodes:











Networks











Cache











Add-ins











General











In the following subsections, we'll take a look at each of the nodes and their interfaces and what you can do with each.






ISA Server (Name) Top Node






If you select the node representing your ISA Server firewall (in the figures, the firewall's name is ROADBLOCK), the middle pane will display the Getting Started with ISA Server 2004 page, shown in Figure 2.4. Again, don't confuse this with the Getting Started Guide.














Figure 2.4: Selecting the ISA Server Name - Left Pane Displays Getting Started Page










The Getting Started page makes it easy to set up the ISA Server firewall and/or caching server. You will see options here for performing the following tasks:











Defining Your ISA Server Network Configuration allows you to select a predefined network template that you can use to create the layout for your ISA Server network and apply default policy rules. You can specify the NAT or routed relationship between multiple ISA server networks.











View and Create Firewall Policy Rules lets you configure rules that will determine how your ISA Server allows secure access to internal and external Web sites, other Internet sites, servers, e-mail, and other services.











Define How ISA Server Caches Web configures caching, first by defining a cache drive and then by creating caching rules to control how the Web content will be downloaded to the cache and the frequency of cache updates.











Configure VPN Access allows you to create a VPN gateway to allow remote users to connect to your Internal network via virtual private networking.











Monitor your ISA Server Network supplies options to view system details and verify connectivity (including monitoring in real time, which users are connected to which Web sites, and application usage). You can also create alerts to notify administrators of specified events via e-mail and set up generation of one-time or scheduled reports.










Note





Each of the options on the Getting Started page actually takes you to one of the nodes shown in the left pane. Thus, clicking 'Define Your ISA Server Network Configuration' takes you to the same interface as clicking the Networks node under 'Configuration' in the left pane; clicking 'View and Create Firewall Policy Rules' takes you to the same interface as clicking Firewall Policy in the left pane, and so forth. After you become familiar with the ISA 2004 management console, you'll probably find it easier to just click the appropriate node in the left pane, but the Getting Started page brings together in an ordered list all of the configuration options you need when you first set up your ISA Server computer.












When the top ISA Server node is selected, in the Tasks tab of the right pane you'll see clickable icons for performing several tasks that relate to the ISA server as a whole. These include:











Define Administrative Roles invokes the Administration Delegation Wizard, which you can use to assign administrative roles to individual users or groups. The roles define what permissions those users will have to administer the ISA Server.











Disconnect Selected Server from Management Console will disconnect you from the local or remote ISA Server.











Backup this ISA Server Configuration allows you to save the ISA configuration as an .XML file.











Restore this ISA Server Configuration allows you to use the .XML file created by the Backup option to restore a configuration.











Related Tasks include exporting and importing ISA server configuration files (in .XML format).
















ISA Server Secrets: How Does Backup/Restore Differ from Export/Import?





A popular question we get is: 'How do the Backup and Restore functions differ from the Export and Import functions?' It's a good question, because at first glance, they look the same. In both cases, you're saving the ISA Server configuration to an .XML file and then bringing it back and applying it to the ISA server. The only difference you'll see between the two dialog boxes for saving the file is that the Export dialog box includes two checkboxes that you won't see when saving the file using the Backup feature:











Export user permission settings











Export confidential information (encryption will be used)





Both of these function sets allow you to save configuration information, but the export/import feature gives you more granular control over what information you save and how you save it.





With Backup/Restore, the server's general configuration information is saved. This consists of firewall policy rules, rule elements, alert configurations, cache configuration, and VPN configuration. You have no option to save only some of this information; it's an 'all-or-nothing' deal.





With the Export/Import, you can save the entire configuration, or just specific parts of it. For example, you can save just the networks, or just one network; just the Web chaining rules, or even just one specific chaining rule; just selected firewall policies; just the cache configuration, and so forth. If you select to export the entire configuration, the following will be saved:











Access rules











Publishing rules











Rule elements











Alert configuration











Cache configuration











ISA Server properties and all general configuration information





You can choose whether to export confidential information such as user passwords, pre-shared keys for IPSec, and RADIUS shared secrets. You can also choose whether to export user permission settings. With the Backup function, you have no choice: the confidential information and user permission settings are automatically saved. Either way, when you save confidential information, it is encrypted for protection. You specify a password during the export operation, and you'll have to enter it when you import the configuration.





Why export an entire configuration rather than using Backup? This is often used to clone a server, creating a second ISA Server with the identical configuration. If you need to have several ISA Server firewalls configured as duplicates (for example, for several branch offices), this is the fastest way to do it.





An important fact to note is that when you export an entire configuration, the certificate settings are included. If you import the configuration to another ISA Server that doesn't have the same certificates installed, the firewall service won't start.

























We will revisit the Getting Started tasks in more detail in Chapter Six, Installing and Configuring the ISA Server 2004 Software.






Monitoring Node






The monitoring node in ISA Server 2004 is a big improvement over the ISA Server 2000 monitoring and logging interface. This is a busy node, with seven tabbed pages displayed in the middle pane:











The Dashboard











Alerts











Sessions











Services











Reports











Connectivity











Logging











The Dashboard is just what its name implies: a 'big picture' view that summarizes each of the areas represented by a tab (except Logging). Like the dashboard of a car, you're able to keep an eye on what's going on with all the different areas from one interface. The Dashboard is shown in Figure 2.5.














Figure 2.5: The Dashboard - A 'Big Picture' View of All Monitoring Areas at One Glance





The Dashboard also provides you with system performance information; you are able to see in graph format, the number of packets allowed per second (x10) and the number of packets dropped per second.





Each of the Dashboard sections contains an icon that indicates the status of that area:











Checkmark inside a green circle: indicates that all is okay











Exclamation point inside a yellow triangle: indicates a warning











X inside a red circle: indicates a problem or potential problem











You can get more detailed information about each monitoring area by clicking on the appropriate tab.





We will go into more detail about how to use the Dashboard in Chapter 12, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.





The Alerts tab provides information about significant events that have occurred (for example, when services start or shut down, an intrusion is detected, the connection limit is exceeded, and so on). You can configure what actions will trigger alerts. The Alerts tab is shown in Figure 2.6.














Figure 2.6: The Alerts Tab Notifies You of Significant Events That Occur on the ISA Server





As you can see in Figure 2.6, if you click on an alert, more information about it will be displayed in the bottom middle pane. Alerts are marked by icons to indicate the relative importance of each. The icons will be familiar to Windows administrators, as they are the same ones used in the Event Viewer's system and application logs:











A lowercase 'i' in a white circle: indicates an informational alert. No action is necessary.











An exclamation point in a yellow triangle: indicates a warning. Action may be required.











An 'X' inside a red circle indicates an error, a problem or potential problem that demands immediate attention.











The right task pane allows you to refresh the Alerts window manually, or you can set an automatic refresh rate (none, low, medium, or high). Under Alerts Tasks, you can reset selected alerts by clicking the alert(s) you want to reset (you can highlight multiple alerts by holding down CTRL while you select them) and then clicking Reset. You will be asked if you're sure you want to reset the alert. Click Yes to do so.





You can also choose Acknowledge to indicate that you are handling the alert. This will not remove it from the Alerts window; however, the alert will be removed from the Dashboard view.





Finally, you can configure alerts by choosing from a list of predefined alert events, and you can specify the number of times an event must occur, or the number of events per second, in order to trigger an alert. You can also specify what should happen when an alert is triggered (send e-mail to an administrator, run a specified program, log to the Windows event log, or start or stop a specified service or services).





We will discuss how to configure alerts step-by-step in Chapter 12, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.










Tip





If you reset a group of alerts, all of the alerts in the group will disappear from the Alerts window. You won't see them there again unless/until the actions occur again to trigger them.










The Sessions tab makes it easy for administrators to view who is and has been connected through the ISA Server firewall and what applications they use. This information can be filtered for easier perusal. The Sessions window is shown in Figure 2.7.














Figure 2.7: Using the Sessions Tab -View Information About Who Has Connected Through the ISA Server Firewall





We will discuss how to use the Sessions information in more detail in Chapter 12, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.





The Services tab shows you the status and uptime of the ISA Server and ISA-related services that are running on the Windows 2000 or Server 2003 computer. You can stop and start the services from this window, either from the Services Tasks section of the right pane or by right-clicking the service you want to start or stop. The Services tab is shown in Chapter 12, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.














Figure 2.8: The Services Tab - Stop and Start ISA-related Services





You can use the Reports tab, shown in Chapter 12, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.














Figure 2.9: The Reports Tab - Generate Reports from the Logs





The Connectivity tab allows you to create, export, and import connectivity verifiers. These are objects that monitor the connectivity status between the ISA Server computer and a specific computer or URL. Connectivity can be determined via PING messages, TCP port, or HTTP request. The Connectivity tab is shown in Figure 2.10.














Figure 2.10: The Connectivity Tab - Monitor Connectivity Status Between the ISA Server and a Specific Computer or URL





We will show you how to configure and use connectivity verifiers in Chapter 12, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.





The last tab in the Monitoring window is the Logging tab, shown in Figure 2.11. You can use it to configure the logging process for the firewall, Web Proxy, and SMTP Message Screener logs. You can also edit filters to limit the data displayed, export and import filter definitions, and query the logs.














Figure 2.11: The Logging Tab - Filter and Query Data in the ISA Log Files





We will discuss how to how to configure, filter, and query the log files in Chapter 12, Using ISA Server 2004 Monitoring, Logging and Reporting Tools.






Firewall Policy Node






If you select Firewall Policy, the middle pane displays a list of firewall policy rules, and the right pane contains tabs labeled Toolbox, Tasks, and Help, as shown in Figure 2.12.














Figure 2.12: Firewall Policy - Configure Rules





The firewall policy node is the 'heart' of the ISA Server interface. This is where you create access rules, Web publishing rules, mail server publishing rules, and other server publishing rules to control access to and from your network. In addition, you can edit system policy, define IP preferences, and export and import both system policies and firewall policies. New access rules are created easily using the New Access Rule wizard, shown in Figure 2.13.














Figure 2.13: New Access Wizard - Create New Access and Publishing Rules





You will learn all the step-by-step details for creating and using access policies and publishing rules in Chapter 7, Creating and Using ISA Server 2004 Firewall Access Policy, and Chapter 8, Publishing Network Services to the Internet with ISA Server 2004.






Virtual Private Networks (VPN) Node






It's easy to set up your ISA Server firewall to act as a VPN gateway for remote access users or site-to-site VPN. The Virtual Private Networks node, shown in Figure 2.14, provides a friendly interface for performing common VPN configuration tasks and controlling client access.














Figure 2.14: Virtual Private Networks Node to Configure VPNs





The middle pane displays a list of configuration tasks, including:











Verifying that VPN client access is enabled











Specifying the Windows users who are allowed VPN access or selecting a RADIUS server for authentication











Verifying VPN properties and remote access configuration











Viewing firewall policy rules for the VPN clients network











Viewing rules that specify network relationships between the VPN clients network and other networks











From the right Tasks pane, you can configure client access (specifying number of simultaneous VPN connections, selecting groups for which VPN access is allowed, specifying allowed VPN protocols, and mapping users from non-Windows namespaces). You can even disable all VPN access with a single click.





We take you through the processes involved in creating and managing VPNs in Chapter 9, Protecting Remote Access and VPN Communications with ISA Server 2004.






Configuration Node: Networks Subnode






The Configuration node has four subnodes. If you select the Networks subnode, the middle pane displays a tabbed set of pages that includes networks, network sets, network rules, and Web chaining, as shown in Figure 12.15.





The right pane will contain tabs labeled Tasks, Templates, and Help.














Figure 2.15: The Networks Tab - Configure Networks, Network Sets, Network Rules and Web Chaining





The Networks tab is used to create and configure networks in a multiple network environment. The Network Sets tab lets you group networks and apply rules to a group, or set, of networks. The Network Rules tab is used to create, export, and import rules that define whether and what type of connectivity is allowed between different networks using translated (NAT) or routed connections. The Web Chaining tab is used to create Web chaining rules that allow you to route requests from clients to an upstream ISA Server or an alternate location.





We will discuss multiple network configurations in a bonus chapter Configuring Enterprise Networks, Caching Arrays and Network Load Balancing, to be made available free to purchasers of this book from www.syngress.com/solutions after the release of ISA Server 2004 Enterprise Edition.






Configuration Node: Cache Subnode






The Cache subnode, shown in Figure 2.16, is used to configure caching on your ISA Server.














Figure 2.16: The Cache Subnode - Configure or Disable Caching on your ISA Server





You can define cache drives where cached content will be stored and create cache rules via the New Cache Rule wizard. The rules apply to specific networks and determine how objects stored in the cache are to be retrieved when requested, as well as when content is to be cached, and limits on the size of cached objects. You can configure general cache settings here and export and import cache rules. You can also disable caching altogether, making the ISA Server function solely as a firewall.





We show you the step-by-step procedures for configuring and using ISA Server as a caching server in Chapter 11, Accelerating Web Performance with ISA Server 2004 Caching Capabilities.






Configuration Node: Add-ins Subnode






The Add-ins subnode is used to configure ISA Server's application layer filtering (ALF). This is where you enable, view, modify, and disable application filters and Web filters. Some filters are installed and enabled by default when you install ISA Server. The Add-ins subnode is shown in Figure 2.17.














Figure 2.17: The Add-ins Node - Configure Application and Web Filters






Configuration Node: General Subnode






Finally, the General subnode includes general administrative tasks, including:











Delegation of administration to grant permissions for users and groups to perform specific administrative tasks;











Configuration of firewall chaining to specify how requests from Firewall clients and SecureNAT clients are to be forwarded to upstream servers











Specification of Dial-up preferences if you use a dial-up account











Specification of certificate revocation so the ISA Server can verify that incoming certificates are not in the Certificate Revocation List (CRL)











Definition of Firewall client settings, including application settings











Viewing of ISA Server computer details, such as ISA version, name, product ID, creation date and installation directory











Configuration of link translation to select content types that define the pages to which link translation will be applied











This subnode also allows you to perform advanced security tasks, such as the following:











Define RADIUS servers











Enable intrusion detection and DNS attack detection











Define IP preferences











Define connection limits











The General subnode is shown in Figure 2.18.














Figure 2.18: The General subnode is used for general administrative and advanced security tasks





/ 145