Tom and Deb Shinder's Configuring ISA 2004 Network Layout - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید





















Tom and Deb Shinder's Configuring ISA 2004 Network Layout





Throughout this book, we will give examples of how to configure the ISA firewall. Each of the exercises and configuration options will be within the context of the sample network we configured for this book. You can replicate this configuration on a lab network. Your lab network can consist of computers, or you can use operating system virtualization software to simulate the lab network configuration we use in this book. Microsoft Virtual PC and VMware Workstation are the two most popular operating system virtualization applications. We prefer, and have used, VMware extensively in our ISA firewall testing and modeling environment because of its advanced networking features. However, Microsoft Virtual PC or Virtual Server is adequate for most ISA firewall testing scenarios.





Figure 4.7 depicts the machines and some of the details of the machines in the lab network that forms that basis of the discussions in this book.














Figure 4.7: Lab Network Details





Tables 4.3 and 4.4 provide most of the salient details of the machines participating in the lab network setup.









































Table 4.3: Lab Network Details






Setting










EXCHANGE 2003BE










CLIENT










EXCHANGE 2003FE










ISALOCAL










EXTCLIENT










IP Address










10.0.0.2










10.0.0.3










172.16.0.2










Int: 10.0.0.1





Ext: 192.168.1.70





Dmz: 172.16.0.1










192.168.1.90










Default Gateway










10.0.0.1





A










10.0.0.1










172.16.0.1










192.168.1.60










N/










DNS










10.0.0.2










10.0.0.2










10.0.0.2










Int: 10.0.0.2





Ext: N/A





Dmz: N/A










N/A










WINS










10.0.1.2










10.0.0.2










10.0.0.2










Int: 10.0.0.2





Ext: N/A





Dmz: N/A










N/A










Operating System Services










Windows Server 2003





DC (msfirewall. org) 5





DNS





WINS





DHCP





RADIUS





Enterprise CA










Windows XP





None










Windows Server 2003





Exchange 2003










Windows Server 2003] ISA 2004










Windows XP





None










RAM1 Allocation










128MB










128MB










128MB










128MB










64MB










VMNet2










2










2










4










Int: 2





Ext: 0





Dmz: 4










N/A













































Table 4.4: Lab Network Details






Setting










DSL ROUTER










REMOTEISA










BRANCHWEB SERVER










REMOTE CLIENT










EXTERNAL WEB










IP Address










Int: 192.168.1.60





Ext: Public










Int: 10.0.1.1





Ext: 192.168.1.71










172.16.1.2










10.0.1.2










192.168.1.243










Default Gateway










Public Gateway










192.168.1.60










172.16.1.1










10.0.1.1










N/A










DNS










Public










Public4










N/A










N/A










N/A










WINS










N/A










N/A










N/A










N/A










N/A










Operating System










N/A










Windows Server





2003










Windows Server





2003










Windows XP










Windows 2000










Services










N/A










ISA 2004










SMTP





W W W





NNTP





FTP










N/A










SMTP





W W W





NNTP





FTP










RAM Allocation










N/A










128MB










64MB










128MB










64MB










VMNet





N/A
Int: 6
Ext: 0
Dmz: 5
5
6
N/A






5 The Active Directory domain name used on the internal network is msfirewall.org. We will simulate a split DNS configuration so that internal and external network hosts are able to connect to hosted resources using the same Active Directory domain name.





This lab network configuration forms the basis of all the exercises and examples provided in this book. If you plan to mirror this network on all physical machines, then you can ignore the memory allocations noted in the tables. Those memory allocations were used in our VMware network test lab so that we could run up to seven virtual machines simultaneously on the host operating system. Although the virtual machine performance was a bit sluggish when running more than four VMs on a Pentium 4 1.5GHz machine with 1 GB of memory, performance was good enough to allow for viable scenario testing





We place the lab hosts on different VMnets so that the networks are completely segmented. Each VMnet represents its own Ethernet broadcast domain. This allows us to simulate actual network communications as they would take place on any other wired network and simplifies log file and Network Monitor analysis. We highly recommend that you place each network ID on a different VMnet when testing your own ISA firewall configuration scenarios.





Note that not all machines are required for all scenarios. For any given scenario discussed in this book, only a subset of the machines described in the figure and table above are required. You also do not need to create a virtual machine for each host listed in the tables. For example, the Windows XP machine can act as the CLIENT, EXTERNALCLIENT and REMOTECLIENT. The only thing you need to do is change the machine name, the IP addressing information, and the VMnet on the virtual machine.





One major advantage of using virtual machines over physical devices is that you can create snapshots of the baseline configuration for each host in your virtual ISA firewall lab. You can save a snapshot of each virtual machine right after you have created its baseline configuration. You can then return to this snapshot when you're done testing a particular scenario.





Detailed instructions on how to configure the individual machines on the lab network are beyond the scope of this book. However, we will go over the detailed procedure on how to create the virtual machine for the ISALOCAL computer using VMware Workstation 4.0. After going through this example, you will have a good enough understanding on how to use VMware to create the rest of the virtual machines for our sample ISA firewall virtual network.










Note





Our decision to use VMware is based on our extensive experience with the product since it was first released to the general public. We do not want to give the impression that we believe that VMware is a superior to Virtual PC as an operating system virtualization option. Microsoft uses Virtual PC extensively in their own testing and training environments. We have tested ISA firewalls on the Virtual PC platform and found virtual machine performance actually appeared slightly better. However, VMware has better support for the networking scenarios we typically try to reproduce in our labs, and so for testing firewall scenarios, it provides a slightly better option. You can get more information on Virtual PC at www.microsoft.com/windows/virtualpc/default.mspx. Also, we want to recommend that you do not install VMware on a domain controller, as it has the potential of interfering with the browser service and the DCs role as master browser or domain master browser.





We used VMware 4.5.1 build-7568 when writing this book.







Creating the ISALOCAL Virtual Machine






The first step is to obtain the VMware Workstation software. You can download a trial version and test VMware before purchasing it. Go to http://www.vmware.com/download/ to find the download link. Make sure to review the system requirements before installing the VMware software. You can find these at http://www.vmware.com/support/ws45/doc/





Run the VMware Workstation executable after downloading the file. You will need to restart the host operating system after installation is complete.





The ISALOCAL virtual machine runs the ISA firewall software on Windows Server 2003. You can install the Windows Server 2003 operating system from a CD-ROM drive connected to your host operating system, or you can use a CD image file ('.iso image'). These .iso images are used extensively on the MSDN download site. If you only have a CD-ROM copy of Windows Server 2003, you should consider creating an .iso file from the CD. This will make creating virtual machines using VMware Workstation much easier, as you can mount the .iso file as a CD-ROM drive and boot to the .iso CD-ROM drive to install Windows Server 2003.





You can also create your own .iso files. This can be of great help when working with Virtual machines, as you can mount the .iso files as virtual CD-ROM drives. For example, you might want to create an .iso file for your ISA 2004 CD. There are a number of software applications that allow you to do this. One that we've had success with is WinISO, which you can find at www.winiso.com/










Tip





You can download an evaluation version of the Windows Server 2003 Enterprise Edition software at https://microsoft.order-5.com/windowsserver2003evaldl/





This trial software is provided as an .iso file that you can mount as a virtual CD-ROM Drive.










In this example, we'll use an .iso file. After placing the .iso file on the local hard disk of your host operating system, perform the following steps to create the ISALOCAL virtual machine:











Open the VMware application. In the VMware Workstation window (Figure 4.8), click the New Virtual Machine icon.














Figure 4.8: VMware Workstation Window











Click Next on the Welcome to the New Virtual Machine Wizard page.











On the Select the Appropriate Configuration page, select the Custom option. Click Next.











On the Select a Guest Operating System page (as shown in Figure 4.9), select the Microsoft Windows option. Select Windows Server 2003 Enterprise Edition from the Version list. Click Next.














Figure 4.9: Guest Operating System Page











On the Name the Virtual Machine page (Figure 4.10), enter a Virtual machine name in the text box. In this example, name the machine ISALOCAL. Enter a path for the virtual machine in the Location text box. Click Next.














Figure 4.10: Name the Virtual Machine Page











On the Memory for the Virtual Machine page (Figure 4.11), assign the amount of host system memory you want to allocate to this virtual machine. In our ISA firewall virtual firewall network, the ISALOCAL machine has 128MB of memory allocated to it. Enter 128 in the memory text box. Click Next.














Figure 4.11: Memory for the Virtual Machine Page











On the Network Type page (Figure 4.12), select the Use bridged networking option. This option allows the first network interface card in the virtual machine to connect to the live network to which the host operating system is connected. You can assign a valid IP address on this interface in the virtual machine and communicate with all machines on the live network and connect to the Internet via the live network's gateway. This is the interface that will act as the external interface of the ISALOCAL ISA firewall virtual machine. The ISALOCAL VM will use this interface to connect to the live network's Internet gateway (which is a DSL router on our network). We will later add two more network interface cards to this virtual machine that will be used to connect the ISALOCAL virtual machine to VMnet2 (the Internal network) and VMNet4 (the DMZ network). Click Next.














Figure 4.12: Network Type Page











On the Select I/O Adapter Types page, use the default settings, and click Next.











On the Select a Disk page, select the Create a New Virtual Disk option. This will create a virtual hard disk file on the host operating system's drive. This virtual machine will see this file as a hard disk. Click Next.











On the Select a Disk Type page, select the IDE (Recommended) option, and click Next.











On the Specify Disk Capacity page (Figure 4.13), use the default value, 4.0 for the Disk size (GB) entry. Although the Windows Server 2003 and ISA firewall software will not require this amount of disk space, you do not need to worry about the virtual disk file using up this amount of space on your host system's physical disk. The value you enter on this page represents the maximum size the virtual machines disk will grow. While the virtual machine will always see its hard disk size as the size you enter on this page, the actual virtual disk file on the host operating system grows dynamically to accommodate the amount of space required by the data placed on the virtual machine's hard disk. Click Next.














Figure 4.13: Specify Disk Capacity Page











Accept the default name for the disk file on the Specify Disk File page, and click Finish.











In the ISALOCAL window, click the VM menu, and then click Settings.











In the Virtual Machine Control Panel dialog box, click the Hardware tab. On the Hardware tab, click Add.











Click Next on the Welcome to the Add Hardware Wizard page.











On the Hardware Type page (Figure 4.14), select the Ethernet Adapter option and click Next.














Figure 4.14: Hardware Type Page











On the Network Type page, select the Custom option. Select VMNet2 from the drop-down list. This network interface will be the interface connected to the Internal network. Click Finish.











The second network interface card shows up as NIC 2 in the Device list.











In the Virtual Machine Control Panel dialog box, click the Hardware tab. On the Hardware tab, click Add.











Click Next on the Welcome to the Add Hardware Wizard page.











On the Hardware Type page (Figure 4.15), select the Ethernet Adapter option, and click Next.














Figure 4.15: The Hardware Type page











On the Network Type page, select the Custom option. Select VMNet4 from the drop-down list. This network interface will be the interface connected to the DMZ network. Click Finish.











The second network interface card shows up as NIC 3 in the Device list.











Click on the CD-ROM 1 (IDE 1:0) entry in the Device list.











On the right side of the dialog box (Figure 4.16), select the Use ISO image option and use the Browse button to locate the Windows Server 2003 .iso file.














Figure 4.16: Selecting an .iso image











Click on the USB Controller entry in the Device list. Click Remove.











Click OK in the Virtual Machine Control Panel dialog box.











Now that the virtual machine hardware settings are configured, we can begin installing Windows Server 2003. Perform the following steps to complete the Windows Server 2003 operating system installation:











Click the Start this virtual machine link on the left side of the ISALOCAL - VMware Workstation window (Figure 4.17). The machine will boot the CD-ROM disk represented by the .iso file.














Figure 4.17: Starting the Virtual Machine











Press ENTER when you see the Setup Notification page.











Press ENTER on the Welcome to Setup page.











Press F8 on the Windows Licensing Agreement page.











Press ENTER on the Partition Setup page.











Accept the default selection Format the partition using the NTFS file system option on the formatting page and press ENTER. The partition is quickly formatted.











The file copy phase proceeds to copy the Windows Server 2003 files from the .iso image to the virtual disk. The virtual machine will automatically reboot after the files are copied.











The installation routine enters graphical interface mode after the reboot.











Click Next on the Regional and Language Options settings page.











Enter your Name and Organization on the Personalize Your Software page. Click Next.











Enter your product key in the Your Product Key dialog box. Click Next.











On the Licensing Modes page, enter the value 500 in the Per server. Number of concurrent connections text box. Click Next.











On the Computer Name and Administrator Password page, enter ISALOCAL in the Computer name text box. Enter password in the Administrator password and confirm password text boxes. Click Next.











Click Yes in the Windows Setup dialog box indicating that the password you entered is not secure.











Enter the correct date, time, and time zone settings in the Date and Time Settings dialog box. Click Next.











On the Networking Settings page, select Typical settings, and click Next.











Accept the default option on the Workgroup or Computer Domain page. After you have installed the EXCHANGE2003BE machine on the Internal network (VMNet2), you should join the ISALOCAL machine to the msfirewall.org domain. Click Next.











The installation continues, and then the virtual machine restarts.











Log on to the ISALOCAL machine using the Administrator account and the password you created.











Now that the Windows Server 2003 software is installed, we can configure the network interface cards in the virtual machine with the proper IP addressing information. Perform the following steps to configure the ISALOCAL virtual machine's network interface cards and configure other operating system options:











After logging on to the ISALOCAL virtual machine, click the VM menu, and click the Install VMware Tools command.











Click Install in the ISALOCAL dialog box.











Click Next on the Welcome to the installation wizard for VMware Tools page.











On the Setup Type page, select Complete, and click Next.











Click Install on the Ready to Install the Program page.











For each of the Hardware Installation dialog boxes, click the Continue Anyway button.











Click Yes on the VMware Tools Installation dialog box, informing you that hardware acceleration is not enabled on the virtual machine.











If the installation page for Windows Server 2003 appears, close it.











Minimize the notepad window that has the HWAccel.txt file opened.











On the Settings tab of the Display Properties dialog box, click Advanced.











In the Default Monitor and Standard VGA Graphics Adapter Properties dialog box, click the Troubleshoot tab.











On the Troubleshoot tab, drag the slider bar all the way over to the Full setting. Click Apply, and then click OK.











Click OK in the Display Properties dialog box.











Click Finish on the Installation Wizard Completed page.











Click Yes on the VMware Tools dialog box. This will restart the Windows Server 2003 ISALOCAL virtual machine.











Log on as Administrator.











The next step is to configure the network interface cards in the virtual machine. Perform the following steps to configure the network interface cards:











Right-click on an empty area on the desktop, and click Properties.











In the Display Properties dialog box, click the Desktop tab.











On the Desktop tab, click Customize Desktop.











In the Desktop Items dialog box, click the General tab. On the General tab, put checkmarks in the My Documents, My Computer, My Network Places, and Internet Explorer checkboxes. Click OK.











Click Apply, and then click OK in the Display Properties dialog box.











Right-click the My Network Places icon on the desktop, and click Properties.











Right-click the Local Area Connection icon in the Network Connections window, and click Rename. Name the connection WAN.











Right-click on Local Area Connection 2, and click Rename. Name this connection LAN.











Right-click on Local Area Connection 3, and click Rename. Name this connection DMZ.











Now we can assign IP addressing information to each of the interfaces. We'll begin with the external interface of the ISA firewall virtual machine.











Right-click on the WAN interface, and click Properties.











In the WAN Properties dialog box, click the Internet Protocol (TCP/IP) entry, and click Properties.











On the General tab of the Internet Protocol (TCP/IP) Properties dialog box (Figure 4.18), enter the IP addressing information as seen in the following figure.














Figure 4.18: Entering IP Addressing Information











Click the Advanced button.











In the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove the checkmark from the Register this connection's addresses in DNS checkbox. Click OK.











Click OK in the Internet Protocol (TCP/IP) Properties dialog box.











Click Close in the WAN Properties dialog box.











Perform the following steps to configure the LAN interface's IP addressing information:











Right click on the LAN interface, and click Properties.











In the LAN Properties dialog box, click the Internet Protocol (TCP/IP) entry, and click Properties.











On the General tab of the Internet Protocol (TCP/IP) Properties dialog box (Figure 4.19), enter the IP addressing information as seen in the following figure.














Figure 4.19: Entering IP Addressing Information











Click the Advanced button.











In the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove the checkmark from the Register this connection's addresses in DNS checkbox.











Click the WINS tab (Figure 4.20). On the WINS tab, click Add. In the TCP/IP WINS Server dialog box, enter the IP address of the WINS server. On our ISA firewall virtual network, the domain controller will also act as a WINS server. Enter 10.0.0.2 into this dialog box. Click Add.














Figure 4.20: Entering a WINS Server Address











Click OK in the Advanced TCP/IP Settings dialog box.











Click OK in the Internet Protocol (TCP/IP) Properties dialog box.











Click OK in the LAN Properties dialog box.











We'll finish up by configuring the IP addressing information for the DMZ interface on the ISA firewall machine. Perform the following steps to configure the DMZ interface:











Right-click on the DMZ interface, and click Properties.











In the DMZ Properties dialog box, click Internet Protocol (TCP/IP), and click Properties.











On the General tab of the Internet Protocol (TCP/IP) Properties dialog box (Figure 4.21), enter the IP addressing information as seen in the following figure.














Figure 4.21: Entering IP Addressing Information











Click the Advanced button.











In the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab, remove the checkmark from the Register this connection's addresses in DNS checkbox. Click OK.











Click OK in the Internet Protocol (TCP/IP) Properties dialog box.











Click Close in the DMZ Properties dialog box.











The Windows Server 2003 operating system is now ready for the ISA firewall software. At this point, you should save a snapshot of the configuration. Click the Snapshot menu in the ISALOCAL - VMware Workstation window, and click Save Snapshot. This allows you to get back to the base operating system configuration in the event that you want to start from a clean environment again. When we get to installing the ISA firewall software in Chapter 6, we'll describe how to save another snapshot of the configuration after installing the ISA firewall software.





The procedures used to install and configure the ISALOCAL virtual machine can be used to install the other virtual machines in the ISA firewall virtual network. Pay close attention to the IP addressing information for each virtual machine and make sure that you assign each virtual machine to the correct VMnet. You can test whether machines are connected to the correct VMnet by having the ISALOCAL or REMOTEISA machines ping hosts on their respective networks. For example, after creating the EXCHANGE2003BE machine, ping 10.0.0.2 from the ISALOCAL machine. If you do not get a ping reply back, the most likely reason for the failure is that you either misconfigured the IP addressing information on one of the machines, or the machines are not on the same VMnet.





If you are interested in the most simple setup that will allow you to test the majority of scenarios in this book, you can use the following virtual machines:











ISALOCAL











ISAREMOTE











CLIENT











EXCHANGE2003BE











REMOTECLIENT











Note that you do not need to go through the entire configuration again for the REMOTECLIENT machine. You can copy the directory for the CLIENT machine to another location, and then reconfigure the name, IP addressing information, and VMnet in the copy. That will allow you to have a REMOTECLIENT that you can communicate with when we do the site-to-site VPN exercises in Chapter 9.










Tip





VMware Workstation 4.0 only supports three virtual NICs out of the box. However, with the kind help of Alessandro Perilli (http://www.virtualization.info/) you can add a fourth NIC to a single VMware virtual machine. Here's what you do:





Open a related .vmx file and add these lines to the bottom:





Ethernet3.present = 'TRUE'





ethernet3.addressType = 'generated'





ethernet3.generatedAddress = '00:0c:29:cb:7d:8f'





ethernet3.generatedAddressOffset = '30'





ethernet3.connectionType = 'custom'





ethernet3.vnet = 'VMnet3'





You cannot change the Ethernet number and the AddressOffset.





You can change the address.Type, the generatedAddress, the connectionType and the vnet.










/ 145