Automating ISA 2004 Client Provisioning - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید





















Automating ISA 2004 Client Provisioning





There are several methods available for automating the Web Proxy and Firewall client installation and configuration. These include:











Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery











Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery











Automating Web Proxy Client Configuration with Group Policy











Automating Web Proxy Client Configuration with Internet Explorer Administration Kit (IEAK)











The following sections discuss how to automate the configuration of Web Proxy and Firewall clients using the Web Proxy AutoDiscovery (WPAD) protocol and Active Directory Group Policy. We will not go into the details of how to use the Internet Explorer Administration Kit (IEAK) to automate Web proxy client configuration.





Note that there are two methods for supporting Autodiscovery for Web Proxy and Firewall clients: DNS and DHCP. Table 5.12 provides information that will help you decide which method best fits your needs.










Note





You can also automate the configuration of Web Proxy clients using Active Directory Group Policy. There are Group Policy elements that allow you to configure the behavior of all browsers that belong within the scope of the Group Policy Object. This feature is only available for Web browser configuration is not available for Firewall client configuration.






































Table 5.12: DNS and DHCP Support for Web Proxy and Firewall Client Autodiscovery






DHCP










DNS










Client must be DHCP client










Client must be able to resolve DNS names on the Internal network










Internet Explorer 5.0 and above required










Internet Explorer 5.0 and above required










Must be able to send DHCPINFORM queries (Windows 2000, Windows XP, and Windows Server 2003 only)










Must be able to correctly qualify the unqualified name 'WPAD' with a domain name to yield a FQDN that resolves to the ISA 2004 firewall's Internal IP address










User must be logged on as local administrator










Each domain must be configured with its own WPAD entry










ISA 2004 firewall can publish autodiscovery information on any available port on the ISA firewall










ISA 2004 firewall must publish autodiscovery information on TCP port 80










Each DHCP Server must be configured with a WPAD entry. If multiple DHCP servers are within the same broadcast prerange of the client, then all DHCP servers within that range must be configured with a wpad entry.










Each DNS server must be configured with a WPAD entry. Branch offices may require a custom configuration to vent Branch office clients from using the WPAD entry pointing to ISA 2004 firewalls at the Main office.












Note





For more information about the WPAD protocol, please see the ISA 2004 Help file at www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/isa/proddocs/isadocs/CMT_AutoDetect.asp For more information on how to configure IEAK to automate Web Proxy client configuration, please see Chapter 26 - Using Automatic Configuration, Automatic Proxy, and Automatic Detection at www.microsoft.com/resources/documentation/ie/6/all/reskit/en-us/part6/c26ie6rk.mspx










Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery






DHCP clients can obtain autoconfiguration information from the ISA 2004 firewall computer by using DHCPINFORM messages. The Firewall client and Web browser software can issue DHCPINFORM messages to query a DHCP server for the address of a machine containing the autoconfiguration information. The DHCP server returns the address of the machine containing the autoconfiguration information, and the Firewall client or Web browser software requests autoconfiguration information from the address returned by the DHCP server.





The DHCP server uses a special DHCP option to provide this information. In this section on configuring Web Proxy and Firewall clients to use DHCP to obtain autoconfiguration information via WPAD, we will discuss the following steps:











Installing the DHCP server











Creating the DHCP scope











Creating the DHCP 252 scope option











Configuring the client as a DHCP client











Configuring the client browser to use autodiscovery











Configuring the ISA 2004 firewall to publish autodiscovery information











Making the connection












Install the DHCP Server






The first step is to install the DHCP server. We went through the procedures for installing a DHCP server in Chapter 4.






Create the DHCP scope






A DHCP scope is a collection of IP addresses the DHCP server uses to assign to DHCP clients on the network. In addition, a DHCP scope can include additional TCP/IP settings to be assigned to clients, which are referred to as DHCP options. DHCP options can assign various TCP/IP settings such as a DNS server address, WINS server address, and primary domain name to DHCP clients.





Do the following on the DHCP server to enable the DHCP server and create the DHCP scope:











Click Start, and then select Administrative Tools. Click DHCP.











In the DHCP console, right click on your server name in the left pane of the console. Click on the Authorize command (see Figure 5.26).














Figure 5.26: Locating the Authorize Command












Click Refresh in the button bar of the console. You will notice that the icon to the left of the server name changes from a red, down-pointing arrow to a green, up-pointing arrow.











Right-click the server name in the left pane of the console again, and click the New Scope command.











Click Next on the Welcome to the New Scope Wizard page.











Enter a name for the scope on the Scope Name page. This name is descriptive only and does not affect the functionality of the scope. You can also enter a Description in the description box, if you wish. Click Next.











Enter a range of IP addresses that can be assigned to DHCP clients on the IP Address Range page. Enter the first address in the range into the Start IP address range text box and the last IP address in the range in the End IP address text box. Enter the subnet mask for your IP address range in the Subnet mask text box.











In the example in Figure 5.27, the Internal network is on network ID 10.0.2/24. We do not want to assign all the IP addresses on the network ID to the DHCP scope, just a selection of them. So in this example, we enter 10.0.2.100 as the Start IP address and 10.0.2.150 as the end IP address and use a 24-bit subnet mask. Note that on production networks, it is often better to assign the entire network ID to the IP address range used in the scope. You can then create exceptions for hosts on the network that have statically-assigned IP addresses that are contained in the scope. This allows you to centrally manage IP address assignment and configuration using DHCP. Click Next.














Figure 5.27: Configuring the DHCP Scope IP Address Range











Do not enter any exclusions in the Add Exclusions dialog box. Click Next.











Accept the default settings on the Lease Duration page (8 days, 0 hours and 0 minutes), and click Next.











On the Configure DHCP Options page, select Yes, I want to configure these options now, and click Next.











Do not enter anything on the Router (Default Gateway) page. Note that if we were using SecureNAT clients on the network, we would enter the IP address of the Internal interface for the ISA 2004 firewall on this page.





However, with the current scenario, we want to test only the Web Proxy and Firewall client configurations. Click Next.











On the Domain Name and DNS Servers page, enter the primary domain name you want to assign to DHCP clients, and the DNS server address you want the DHCP clients to use.











The primary domain name is a critical setting for your Firewall and Web Proxy clients. In order for autodiscovery to work correctly for Firewall and Web Proxy clients, these clients must be able to correctly fully qualify the unqualified name WPAD. We will discuss this issue in more detail later. In this example, enter msfirewall.org in the Parent domain text box (see Figure 5.28). This will assign the DHCP clients the primary domain name msfirewall.org, which will be appended to unqualified names. Enter the IP address of the DNS server in the IP address text box. In this example, the IP address of the DNS server is 10.0.2.2. Click Add after entering the IP address. Click Next.














Figure 5.28: Configuring the Default Domain Name for DHCP Clients











Do not enter a WINS server address on the WINS Servers page. In this example, we do not use a WINS server. However, WINS servers are very useful in VPN server environments if you wish your VPN clients to be able to browse the campus network using My Network Places or Network Neighborhood application. Click Next.











On the Activate Scope page, select Yes, I want to activate this scope now, and click Next.











Click Finish on the Completing the New Scope Wizard page.











In the right pane of the DHCP console, you see the two DHCP options you created in the Wizard, as seen in Figure 5.29.














Figure 5.29: Viewing the Scope Options











The next step is to create a custom DHCP option that will allow DHCP clients to autodiscover Web Proxy and Firewall client settings.






Create the DHCP 252 Scope Option and Add It to the Scope






The DHCP scope option number 252 is used to automatically configure Web Proxy and Firewall clients. The Web Proxy or Firewall client must be configured as a DHCP client, and the logged-on user must be a member of the local administrators group or Power users group (for Windows 2000). On Windows XP systems, the Network Configuration Operators group also has permission to issue DHCP queries (DHCPINFORM messages).










Note





For more information about the limitations related to using DHCP for autodiscovery with Internet Explorer 6.0, please see KB article Automatic Proxy Discovery in Internet Explorer with DHCP Requires Specific Permissions at http://support.microsoft.com/default.aspx?scid=kb;en-us;312864










Do the following at the DHCP server to create the custom DHCP option:











Open the DHCP console from the Administrative Tools menu and right-click your server name in the left pane of the console. Click the Set Predefined Options command, shown in Figure 5.30.














Figure 5.30: Selecting the Set Predefined Options Command











In the Predefined Options and Values dialog box (Figure 5.31), click Add.














Figure 5.31: The Predefined Options and ValuesDialog Box











In the Option Type dialog box (Figure 5.32), enter the following information:





Name: wpad





Data type: String





Code: 252





Description: wpad entry





Click OK.














Figure 5.32: The Option Type Dialog Box











In the Value frame, enter the URL to the ISA 2004 firewall in the String text box. The format for this value is:





http://ISAServername:Autodiscovery Port Number/wpad.dat





The default autodiscovery port number is TCP 80. You can customize this value in the ISA Management console. If you do change the autodiscovery port number, then you will need to change the port number in the WPAD entry as well. We will cover this subject in more detail later.





As shown in Figure 5.33, enter the following into the String text box:














Figure 5.33: Predefined Options and Values Dialog Box





http://isa2.msfirewall.org:80/wpad.dat





Make sure to enter wpad.dat in all lower case letters. For more information on this problem, please refer to KB article 'Automatically Detect Settings' Does Not Work if You Configure DHCP Option 252 at http://support.microsoft.com/default.aspx?scid=kb;en-us;307502











Click OK.











Right click the Scope Options node in the left pane of the console, and click the Configure Options command.











In the Scope Options dialog box (Figure 5.34), scroll through the list of Available Options and put a checkmark in the 252 wpad check box. Click Apply and OK.














Figure 5.34: The Scope Options Dialog Box











The 252 wpad entry now appears in the right pane of the console under the list of Scope Options.











Close the DHCP console.











The next step is to configure the client computer as a DHCP client.






Configure the Client as a DHCP Client






In order to use DHCP to obtain autodiscovery information for Web Proxy and Firewall clients, the client computer must be configured as a DHCP client.










Note





In this example, we configure a Windows 2000 machine as a DHCP client. The procedure varies a bit with each client operating system. All Windows TCP/IP operating systems use DHCP as the default IP address configuration.










Do the following on the client machine to configure it as a DHCP client:











Right click My Network Places on the desktop, and click the Properties command.











Right click the Local Area Connection entry in the Network and Dial-up Connections window and click the Properties command.











In the Local Area Connection Properties dialog box, click the Internet Protocol (TCP/IP) entry and click Properties.











In the Internet Protocol (TCP/IP) Properties dialog box, select Obtain an IP address automatically and Obtain DNS server address automatically. Click OK.











Click OK in the Local Area Connection Properties dialog box.











Close the Network and Dial-up Connections window.











Now you're ready to configure the browser to use autodiscovery for automatically discovering its Web Proxy client settings.






Configure the Client Browser to Use DCHP for Autodiscovery






The browser must be configured to use autodiscovery before it can use the DHCP server option 252 to automatically configure itself. This is the default setting for Internet Explorer 6.0, but the default setting may have been changed at some time during the life of the browser on a particular machine. In the following example, we manually configure the browser to use autodiscovery to autoconfigure itself. We will discuss methods you can use to automatically set this option later.





Do the following on the Web Proxy client computer:











Right click on the Internet Explorer icon on the desktop and click Properties.











In the Internet Properties dialog box, click the Connections tab. Click the LAN Settings button.











In the Local Area Network (LAN) Settings dialog box, put a checkmark in the Automatically detect settings check box. Click OK.











Click OK in the Internet Properties dialog box.











ISA 2004 firewall must be configured to publish autodiscovery information before the Web Proxy client can obtain configuration information. That's the next step.






Configure the ISA 2004 Firewall to Publish Autodiscovery Information






All the settings required for the Web browser to configure itself are contained on the ISA 2004 firewall computer. By default, this option is disabled. You can enable publishing of autodiscovery information on the ISA 2004 firewall computer so that the Web Proxy client can obtain autoconfiguration settings.





Do the following on the ISA 2004 firewall computer to enable it to provide autoconfiguration information to Web Proxy and Firewall autodiscovery clients:











At the ISA 2004 firewall, open the Microsoft Internet Security and Acceleration Server 2004 management console. Expand the server name in the left pane of the console, and then expand the Configuration node. Click the Networks node.











On the Networks node, click the Networks tab in the Details pane.











Right-click the Internal network on the Networks tab, and click Properties (see Figure 5.35).














Figure 5.35: Accessing the Internal Network Properties Dialog Box











In the Internal Properties dialog box, put a checkmark in the Publish automatic discovery information check box. In the Use this port for automatic discovery request text box, leave the default port 80 as it is.











Click Apply and OK.











Click Apply to save the changes and update the firewall policy.











Click OK in the Apply New Configuration dialog box.












Making the Connection






All the components are now in place for the Web browser to automatically connect to the ISA 2004 firewall's Web Proxy service using autodiscovery.





Do the following on the Web Proxy client computer:











Open Internet Explorer and enter the URL for the Microsoft ISA Server site at www.microsoft.com/isaserver











A Network Monitor trace shows the DHCPINFORM messages sent by the Web Proxy client. The Web Proxy client uses the DHCPINFORM messages, such as the one shown in Figure 5.36 to obtain the autodiscovery address contained in the DHCP option 252 entry.














Figure 5.36: Viewing the DHCPINFORM Request












In Figure 5.37, you can see the ACK response to the Web Proxy client's DHCPINFORM message. In the bottom pane of the Network Monitor console, you can see that the DHCP server has returned the address you configured in the DHCP option 252 entry.














Figure 5.37: Viewing the contents of the DHCPINFORM request











After the Web Proxy client receives the address of the ISA 2004 firewall containing the autodiscovery settings, the next step is for it to resolve the name of the ISA 2004 firewall to its Internal IP address. Name resolution is critical for multiple aspects of ISA firewall 2004 function, and this is another example of this fact. You can see in the Network Monitor (Figure 5.38) that the Web Proxy client has issued a query for isa2.msfirewall.org, which was the URL contained in the DHCP 252 option.














Figure 5.38: Viewing the WPAD DNS Query











Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery






Another method you can use in deliver autodiscovery information to Web Proxy and Firewall clients is DNS. You can create a wpad alias entry in DNS and allow browser clients to use this information to automatically configure themselves. This is in contrast to the situation we saw with the DHCP method, where the logged-on user needed to be a member of a specific group in the Windows operating system.





Name resolution is a pivotal component in making this method of Web Proxy and Firewall client autodiscovery work . In this case, the client operating system must be able to correctly fully qualify the name wpad. The reason for this is that the Web Proxy and Firewall client only knows that it needs to resolve the name wpad; it does not know what specific domain name it should append to the query to resolve the name wpad. We will cover this issue in detail later.










Note





In contrast to the DHCP method of assigning autodiscovery information to Web Proxy and Firewall clients, you do not have the option to use a custom port number to publish autodiscovery information when using the DNS method. You must publish autodiscovery information on TCP 80 when using the DNS method.










We will detail the following steps to enable DNS to provide autodiscovery information to Web Proxy and Firewall clients:











Creating the wpad entry in DNS











Configuring the client to use the fully-qualified wpad alias











Configuring the client browser to use autodiscovery











Making the connection












Creating the wpad Entry in DNS






The first step is to create a wpad alias entry in DNS. This alias points to a Host (A) record for the ISA 2004 firewall, which resolves the name of the ISA 2004 firewall to the Internal IP address of the firewall. This Host (A) record must be created before you create the CNAME alias entry. If you enable automatic registration in DNS, the ISA 2004 firewall's entry will already be entered into DNS. If you have not enabled automatic registration, you will need to create the Host (A) record for the ISA 2004 firewall manually. In the following example, the ISA 2004 firewall has automatically registered itself with DNS.










Warning





You should turn off DNS autoregistration on all network interfaces attached to the ISA 2004 fireall. This includes autoregistration for any demand-dial interfaces configured on the ISA 2004 firewall. If the ISA 2004 firewall has already autoregistered information in the DNS, you should remove all the autoregistered entries from the DNS after disabling autoregistration on each of the ISA 2004 firewall's adapters, and then re-enter the addresses. This will prevent problems with Internet connectivity when VPN clients connect to the ISA 2004 firewall's VPN server.










Do the following on the DNS server of the domain controller on the Internal network:











Click Start and select Administrative Tools. Click the DNS entry. In the DNS management console shown in Figure 5.39, right-click on the forward lookup zone for your domain, and click the New Alias (CNAME) command.














Figure 5.39: Selecting the New Alias (CNAME) Command











In the New Resource Record dialog box (Figure 5.40), enter wpad in the Alias name (uses parent domain if left blank) text box. Click the Browse button.














Figure 5.40: The New Resource Record Dialog Box











In the Browse dialog box, double-click on your server name in the Records list.











In the Browse dialog box, double-click on the Forward Lookup Zone entry in the Records frame.











In the Browse dialog box, double-click on the name of your forward lookup zone in the Records frame.











In the Browse dialog box, select the name of the ISA 2004 firewall in the Records frame. Click OK.











Click OK in the New Resource Record dialog box.











The CNAME (alias) entry appears in the right pane of the DNS management console.











Close the DNS Management console.














Figure 5.41: New Resource Dialog Box



















Figure 5.42: Viewing the DNS WPAD Alias












Configure the Client to Use the Fully-Qualified wpad Alias






Web Proxy and Firewall clients need to be able to correctly resolve the name wpad. The Web Proxy and Firewall client configurations are not aware of the domain containing the wpad alias. The Web Proxy and Firewall client operating system must be able to provide this information to the Web Proxy and Firewall client software.





DNS queries must be fully qualified before the query is sent to the DNS server. A fully-qualified request contains a host name and a domain name. The Web Proxy and Firewall clients only know the host name portion, which in this case is Wpad. Web Proxy and Firewall client operating system must be able to provide the correct domain name, which it appends to the wpad host name, before it can send a DNS query to the DNS server.





There are a number of methods you can use to provide a domain name that is appended to the wpad name before the query is sent to the client's DNS server. Two popular methods for doing this are:











Using DHCP to assign a primary domain name











Configuring a primary domain name in the client operating system's network identification dialog box.











We will detail these two methods in the following steps:











Right-click My Computer on the desktop, and click the Properties command.











In the System Properties dialog box, click the Network Identification tab. Click the Properties button.











In the Identification Changes dialog box (see Figure 5.43), click More.














Figure 5.43: The Identification Changes Dialog Box











In the DNS Suffix and NetBIOS Computer Name dialog box shown in Figure 5.44, enter the domain name that contains your wpad entry in the Primary DNS suffix of this computer text box. This is the domain name that the operating system will append to the wpad name before sending the DNS query to the DNS server. By default, the primary domain name is the same as the domain name to which the machine belongs. If the machine is not a member of a domain, this text box will be empty. Note Change primary DNS suffix when domain membership changes is enabled by default. In the current example, the machine is not a member of a domain. Cancel out of each of the dialog boxes so that you do not configure a primary domain name at this time.














Figure 5.44: The DNS Suffix and NetBIOS Computer Name Dialog Box











Another way to assign a machine a primary domain name is to use DHCP. A DHCP server can be configured to supply DHCP clients a primary domain name by configuring a DHCP scope option. We did this earlier when we created a scope on the DHCP server using the DHCP scope wizard. In the current example, the DNS Domain Name scope option was set to deliver the domain name msfirewall.org to DHCP clients. This option (shown in Figure 5.45) has the same effect as manually setting the primary domain name. DHCP clients will append this name to unqualified DNS queries (such as those for wpad) before sending the DNS query to a DNS server.














Figure 5.45: Viewing Scope Options











Go to the DHCP client system and open a command prompt. At the command prompt, enter ipconfig /all and press ENTER. Notice that the machine has been assigned a Connection-specific DNS Suffix of msfirewall.org.











DHCP is the most efficient way to assign a primary DNS suffix to clients on your network, as seen in Figure 5.46. This feature allows you to automatically configure a DNS suffix on DHCP clients that connect to your network, which are not members of your Active Directory domain. These clients can still correctly resolve the wpad name based on your current DNS infrastructure without requiring them to join the domain or manually configuring them.














Figure 5.46: DHCP client configuration





Note that if you have multiple domains and clients on your Internal network that belong to multiple domains, you will need to create wpad CNAME alias entries for each of the domains. In addition, DNS support for WPAD entries can be a bit problematic when you have a single Internal network domain that spans WAN links. You can only enter a single WPAD entry per domain, and all hosts that fully qualify the WPAD entry with that domain name will receive the same server address. This can lead to Branch office hosts attempting to access the Internet via an ISA 2004 located at the Main office. The best solution to this problem is to create subdomains in the DNS that support Branch office clients.






Configure the client browser to use autodiscovery






The next step is to configure the browser to use autodiscovery. If you have not already done so, configure the Web browser to use autodiscovery to automatically configure itself to use the ISA 2004 firewall's Web Proxy:











Right-click on the Internet Explorer icon on the desktop, and click Properties.











In the Internet Properties dialog box, click the Connections tab. Click the LAN Settings button.











In the Local Area Network (LAN) Settings dialog box, put a checkmark in the Automatically detect settings check box. Click OK.











Click Apply, and then click OK in the Internet Properties dialog box.











The next step is to configure the ISA 2004 firewall Publish Autodiscovery Information for autodiscovery Web Proxy and Firewall clients.





Special Considerations for VPN Clients






VPN clients can also be configured as Web Proxy clients of the network to which they connect via the VPN link. However, the Web Proxy client configuration is done on a per-connection basis. In order for the Web Proxy client to use the Web Proxy server on the destination network (the network the client is connected to via the VPN link), you must configure the VPN client to use the Web Proxy server for that specific VPN connection.





Perform the following steps to configure the VPN client to use a Web Proxy server on the remote network:











Right click on the Internet Explorer icon on the desktop and click Properties.











On the Connections tab, you'll see a list of your VPN connections in the Dial-up and Virtual Private Network Settings list. Select the VPN connectoid from the list and click Settings.











In the Settings dialog box for the VPN connectoid, select the appropriate Web Proxy settings. Depending on the Web Proxy support provided by the remote network, you can use the Automatically detect settings, Use automatic configuration script or Use a proxy server for this connection option.











Click OK, and then click OK again in the Internet Properties dialog box.











Allowing the VPN client to connect via the Web proxy allows the VPN client to be a Web Proxy client in addition to a SecureNAT client when connected to the ISA firewall/VPN server. This has the potential to significant enhance Web browsing performance and provides much better security than allowing split tunneling for the VPN client.






Configure the ISA 2004 Firewall to Publish Autodiscovery Information






Do the following on the ISA 2004 firewall to enable it to provide autoconfiguration information to Web Proxy and Firewall autodiscovery clients:











At the ISA 2004 firewall, open the Microsoft Internet Security and Acceleration Server 2004 management console. Expand the server name in the left pane of the console, and then expand the Configuration node. Click the Networks node.











On the Networks node, click the Networks tab in the Details pane.











Right click the Internal network on the Networks tab, and click Properties (see Figure 5.47).














Figure 5.47: Accessing the Internal Network Properties Dialog Box












In the Internal Properties dialog box, put a checkmark in the Publish automatic discovery information check box. In the Use this port for automatic discovery request text box, leave the default port 80, as it is.











Click Apply and OK.











Click Apply to save the changes and update the firewall policy.











Click OK in the Apply New Configuration dialog box.










Warning





Make sure that you do not install, or if already installed, disable, the IIS WWW service on the ISA 2004 firewall. If the IIS WWW service is running on the ISA firewall, it could prevent the ISA 2004 firewall from binding to TCP port 80. This type of socket contention is common when the ISA firewall has extraneous services running on it. For this reason, we recommend that you never run non-firewall services on the ISA firewall. This includes the IIS WWW service. An exception to this is when the WWW service is required for remote firewall management using third-party vendor management interfaces, such as the comprehensive Web interface provided by the RoadBLOCK firewall appliance (www.rimapp.com).













Making the Connection Using DNS for Autodiscovery






All the parts are now in place to allow the Web Proxy and Firewall client machine to use DNS to obtain autoconfiguration information. Perform the following steps on the Web Proxy client computer:











Open Internet Explorer and go to the www.microsoft.com/isaserver/ home page.











A Network Monitor trace shows the Web Proxy client makes a DNS query for wpad.msfirewall.org. The DNS server responds to the query with the IP address (shown in Figure 5.48) of the ISA 2004 firewall computers.














Figure 5.48: Viewing DNS wpad Query Requests











After it obtains the IP address of the ISA 2004 firewall computer and the port from which it can obtain autoconfiguration information, the Web Proxy client sends a request (see Figure 5.49) for wpad autoconfiguration information. You can see this request in the bottom pane of the Network Monitor Window, GET /wpad.dat HTTP/1.1.














Figure 5.49: Viewing the Details of a DNS wpad Query Request











/ 145