Automating Installation of the Firewall Client - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید





















Automating Installation of the Firewall Client





The Firewall client software can be installed on virtually any 32-bit version of Windows except Windows 95. There are a number of compelling reasons for installing the Firewall client software on all machines that supports its installation:











The Firewall client allows you to create user/group-based access controls for all TCP and UDP protocols. This is in contrast to the Web Proxy client configuration, which only supports HTTP, HTTPS and FTP.











The Firewall client has access to all TCP and UDP protocols, including those requiring secondary connections. In contrast, the SecureNAT client does not support application protocols that require secondary connections unless there is an application filter to support it.











The Firewall client provides much better performance than the SecureNAT client.











The Firewall client sends application information to the ISA 2004 firewall service; this allows the Firewall service logs to collect application usage information and helps you determine which applications users are using to access Internet sites and services.











The Firewall client sends user information to the Firewall service; this enables the ISA 2004 firewall to control access based on user account and record user information in the Firewall service's access logs. This information can be extracted and put into report form.











With these features, the Firewall client provides a level of functionality, security and access control that no other firewall in its class can match. For this reason, we always recommend that you install the Firewall client on any machine supporting the Firewall client software.





However, because the Firewall client configuration requires the Firewall client software to be installed, many firewall administrators are hesitant to avail themselves of the full feature set provided by the Firewall client. Many ISA 2004 firewall administrators don't have the time or the resources to 'touch' (visit) each authorized computer on the corporate network in order to install the Firewall client software.





The solution to this problem is to automate the installation of the Firewall client. There are two methods that you can use. These methods require no additional software purchase and can greatly simplify the installation of the Firewall client software on large numbers of computers on the corporate network. These methods are:











Group Policy-based software installation and management











Silent installation script











In the following section, we will discuss these methods, as well as some key ISA Server client configuration settings you should make in the ISA Management console.





Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console






There are a few configuration options you should set for the Firewall client before you configure a Group Policy or a silent installation script to install the Firewall client software. These settings, made at the Microsoft Internet Security and Acceleration Server 2004 management console, determine issues such as Firewall client autodiscovery behavior and whether (and how) the Web browser is configured during installation of the Firewall client.





Perform the following steps on the ISA 2004 firewall to configure these settings:











In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then expand the Configuration node.











Click the Networks node, and then click Networks on the Details tab. Right-click the Internal network, and click Properties.











In the Internal Properties dialog box, click the Firewall Client tab.











On the Firewall Client tab, put a checkmark in the Enable Firewall client support for this network check box. In the Firewall client configuration frame, enter the name of the ISA 2004 firewall computer in the ISA Server name or IP address text box. The default setting is the computer name. However, you should replace the computer (NetBIOS) name with the fully-qualified domain name of the ISA 2004 firewall. When you replace the computer name with the FQDN, the Firewall client machines can use DNS to correctly resolve the name of the ISA 2004 firewall. This will avoid one of the most common troubleshooting issues with Firewall client connectivity. Make sure there is an entry for this name in your Internal network's DNS server.





The Web Proxy client configuration settings are available in the Web browser configuration on the Firewall client computer frame. These settings will automatically configure the Web browser as a Web Proxy client. Note that you can change the settings later, and the Web browsers will automatically update themselves with the new settings.





The Automatically detect settings option allows the Web browser to detect the Web Proxy and configure itself based on the settings you configure on the Web Browser tab of the Internal Properties dialog box, shown in Figure 5.50.














Figure 5.50: Internal Properties Dialog Box.





The Use automatic configuration script option allows you to assign a proxy autoconfiguration file (PAC) address to the Web browser. The Web browser will then query the location you specify or use the default location; the default location is on the ISA 2004 firewall. Note that when you use the default location, you obtain the same information you would receive if you had configured the Web browser to use the Automatically detect settings option. The Use default URL option automatically configures the browser to connect to the ISA 2004 firewall for autoconfiguration information. You can use the Use custom URL if you want to create your own PAC file that overrides the settings on the automatically-generated file at the ISA 2004 firewall. You can find more information on PAC files and proxy client autoconfiguration files in Using Automatic Configuration and Automatic Proxy at www.microsoft.com/resources/documentation/ie/5/all/reskit/en-us/part5/ch21auto.mspx





The Use a Web Proxy server option allows you to configure the Web browser to use the ISA 2004 as its Web Proxy, but without the benefits of the autoconfiguration script information. This setting provides higher performance than the SecureNAT client configuration, but you do not benefit from the settings contained in the autoconfiguration script. The most important configuration settings in the autoconfiguration script include site names and addresses that should be used for Direct Access. For this reason, you should avoid this option unless you do not wish to use Direct Access to bypass the Web Proxy service to access selected Web sites.










Note





Web Proxy client Direct Access configuration allows you to bypass the Web Proxy service for selected Web sites. Some Web sites do not conform to Internet standards (Java sites are the most common offenders), and therefore do not work properly through Web Proxy servers. To configure these sites for Direct Access and the client machine, bypass the Web Proxy service and use an alternate means to connect to the destination Web site (such as via a SecureNAT or firewall client configuration). In order for the client to use an alternate connection method, the client machine must be configured as a Firewall and/or SecureNAT client.












Click the Web Browser tab, as shown in Figure 5.51. There are several settings in this dialog box that configure the Web Proxy clients via the autoconfiguration script. Note that in order for these options to take effect, you must configure the Web Proxy clients to use the autoconfiguration script either via autodiscovery and autoconfiguration or via a manual setting for the location of the autoconfiguration script.














Figure 5.51: Web Browser Tab on the Internal Properties Dialog Box





The Bypass proxy for Web server in this network option allows the Web browser to use Direct Access to directly connect to servers that are accessible via a single label name. For example, if the user accesses a Web server on the Internal network using the URL http://SERVER1, the Web Proxy client browser will not send the request to the ISA 2004 firewall. Instead, the Web browser will directly connect to the SERVER1 machine. This reduces the load on the ISA 2004 firewall and prevents users from looping back through the ISA 2004 firewall to access Internal network resources. Note that the Bypass proxy for Web server in this network setting does not mean the browser will bypass the Web Proxy for accessing internal IP addresses. It will bypass the Web Proxy only when using a single label name when connecting to the resource.





The Directly access computers specified in the Domains tab option allows you to configure Direct Access to machines contained in the Domains tab. The Domains tab contains a collection of domain names that are used by the Firewall client to determine which hosts are part of the Internal network and bypass the ISA 2004 firewall when contacting hosts that are part of the same domain. The Web Proxy client can also use the domain on this list for Direct Access. We recommend that you always select this option as it will reduce the load on the ISA 2004 firewall by preventing Web Proxy clients from looping back through the firewall to access Internal network resources. In addition, this setting is a pivotal component of a split DNS infrastructure.





The Directly access these servers or domains list is a list of computer addresses or domain names that you can configure for Direct Access. Click the Add button.











In the Add Server dialog box shown in Figure 5.52, you can select the IP address within this range option, and then enter an IP address or IP address range of machines that you want to Directly Access. You also have the option to select the Domain or computer option and enter the computer name or the FQDN of the machine that you want to access via Direct Access. A common domain name to enter for Direct Access is the msn.com domain, because this domain, along with the passport.com and the hotmail.com domains must be configured for Direct Access to simplify Web Proxy client connections to the Microsoft Hotmail site.














Figure 5.52: The Add Server Dialog Box











If the ISA firewall is unavailable, use this backup route to connect to the Internet option allows machines configured as Web Proxy clients to use other means to connect to the Internet. Typically, this means that the Web Proxy client will leverage its SecureNAT or Firewall client configuration to connect to the Internet. If the machine is not configured as a SecureNAT and/or Firewall client, then no access will be allowed if the Web Proxy service becomes unavailable.











Click Apply, and then click OK, after making the changes to the configuration in the Internal Properties dialog box.











Click Apply to save the changes and update the firewall policy.











At this point the Firewall and Web Proxy client configuration is ready, and you can install the Firewall client on machines behind the ISA 2004 firewall and have these settings automatically configured on them.





Group Policy Software Installation






You might not wish to install the Firewall client on all machines. For example, domain controllers and published servers should not be configured as Firewall clients. You can gain granular control over Group Policy-based software installation by creating an organizational unit for Firewall clients and then configuring an Organization Unit (OU) group policy object to install the Firewall client only on computers belonging to that OU.










Note





Placing machines in a Firewall client's OU is only one possible solution. If you have the requisite Active Directory (AD) expertise, you may wish to link the Group Policy Object to a higher level (domain or site) if you don't want to move the computer to another OU and create a Group Policy for each OU. However, you may need to filter the Group Policy Object using Groups or WMI filters, which incurs its own administrative overhead. By default, all computers are placed in the computer container (which is not an OU), and you must either link the Group Policy to the Domain or the Site, or create an OU and move the computer objects to the OU, and then link the Group Policy Object. Note that it's vital that not all machines be assigned the Firewall client software, as Domain Controllers and other server computers should not use the Firewall client unless it is absolutely required, such as the case when you want to publish servers that require complex protocol support.










Perform the following steps on the domain controller to create the OU, and then configure software installation and management to install the Firewall client on machines belonging to the OU:











Click Start, and select the Administrative Tools menu. Click Active Directory Users and Computers. Right-click on your domain name, and click Organizational Unit.











In the New Object - Organizational Unit dialog box, enter a name for the OU in the Name text box. In this example, we will call the OU FWCLIENTS. Click OK.











Click on the Computers node in the left pane of the console. Right-click your client computer, and click the Move command.











In the Move dialog box, click the FWCLIENTS OU, and click OK.











Click on the FWCLIENTS OU. You should see the computer you moved into this OU.











Right-click the FWCLIENTS OU, and click the Properties command.











Click the Group Policy tab in the FWCLIENTS dialog box. Click the New button to create a New Group Policy Object. Select the New Group Policy Object and click Edit.











Expand the Computer Configuration node, and then expand the Software Settings node. Right-click on Software installation, point to New and click Package.











In the Open text box, type the path to the Firewall client's Microsoft installer package (.msi file) in the File name text box. In this example, the path is:





\\isa2\mspclnt\MS_FWC.MSI





Where isa2 is the NetBIOS name of the ISA 2004 firewall computer or the name of the file server hosting the Firewall client installation files; mspclnt is the name of the share on the ISA 2004 firewall computer that contains the Firewall client installation files, and MS_FWC.MSI is the name of the Firewall client Microsoft installer package. Click Open after entering the path.











In the Deploy Software dialog box, select the Assigned option (see Figure 5.54) and click OK. Notice that you do not have the Published option when installing software using the Computer Configuration node. The software is installed before the user logs on. This is critical because only local administrators can install the Firewall client software. In contrast, you can assign software to machines and the software will install when no other user is logged onto the machine. Click OK.














Figure 5.53: Entering the Installer Path














Figure 5.54: Choosing the Assigned Option











The new managed software package appears in the right pane of the console. All machines in the OU will have the Firewall client software installed when they are restarted. You can also manage the Firewall client software from here, as shown in Figure 5.55.














Figure 5.55: Managed Software










Note





For more details on how to take full advantage of Group Policy-based software installation and maintenance, please see the Step-by-Step Guide to Software Installation and Maintenance at www.microsoft.com/windows2000/techinfo/planning/management/swinstall.asp












Close the Group Policy Object Editor and the Active Directory Users and Computers console.











When you restart the machines in the FWCLIENTS OU, you will see the log-on dialog box (Figure 5.56) provide information about how managed software is being installed on the Windows client operating system.














Figure 5.56: Logging On











Silent Installation Script






Another useful method for installing the Firewall client software is to use a silent installation script. This method is useful when the logged-on user is a member of the local administrator's group. The silent installation script does not expose the user to any dialog boxes, and the user does not need to make decisions during the installation process.










Tip





In most situations, the Firewall client sends credentials of domain users to the ISA 2004 firewall. The ISA 2004 firewall must be a member of the user domain, or member of a domain that trusts the user domain, in order to authenticate users who authenticate with the Firewall client. Since users are already members of an Active Directory domain, a more efficient method of installing the Firewall client is to use Active Directory Group Policy. However, there are situations where there is no Active Directory domain, or you do not want to make the ISA 2004 firewall a member of the domain. In this case, you can mirror user accounts on the ISA 2004 firewall. The user accounts you configure on the ISA 2004 firewall will have the same user names and passwords that the users use to log on to their machines.










Open notepad; copy the following line into the new text document, and save the file as 'fwcinstall.cmd': msiexec /i \\ISA2\mspclnt\MS_FWC.msi /qn /l*v c:\mspclnt_i.log





The \\ISA2 entry is the computer name of the ISA 2004 firewall computer and will vary for each installation location. The rest of the line can be used exactly as listed above. Users can then go to a Web page, or click a link in an email message pointing them to this batch file. The process is very simple and only requires the user to click the link to run the script and from our experience with users and e-mail worms, we know they have no problems double clicking on exectuables. You could also place the .cmd file on a corporate Web site and send a message to users to visit the site and run the command. The installation is completely transparent, and the only thing the user will see is a momentary command prompt window and the Firewall client icon in the system tray when the procedure is completed.










Warning





The user must be a member of the local Administrator's group to install the Firewall client software. If the user is not a member of the local Administrator's group, the software installation will fail. You can get around this problem by assigning the Firewall client software to machines. The software is installed before user log-on, so there are no issues with who the logged-on user is at the time of installation.










Systems Management Server (SMS)






Organizations using Systems Management Server (SMS) 2003 can use the software distribution feature of SMS to deploy the Firewall client software. The Software distribution routine in SMS 2003 provides the ability to deploy Windows Installer (.msi) files to any computer that is assigned to the SMS environment in a manner similar to the Active Directory Group Policy software management feature. Do the following to deploy the Firewall client using SMS 2003:











Create a collection that includes all the machines on which you want the Firewall client installed. An SMS collection is a group of network objects, such as computers or users, which are treated as an SMS management group. You can configure requirements such as IP address, hardware configuration, or add clients directly by name to group all computers that require the Firewall client software.











Create a package by importing the Firewall client Windows file (MS_FWC.msi). The Windows Installer file automatically includes a variety of attended and unattended installation options that can be used on a per-system or per-user basis. Programs are also created to uninstall the client. The per-system programs are configured to install the client with administrative rights whether or not the user is logged on. The per-user programs install the client using the credentials of the logged-on user. This provides an advantage over the Group Policy method, which does not allow you to temporarily elevate privileges to install the Firewall client application.











Create an SMS advertisement, which specifies the target collection and program to install. In order to control deployment, you can schedule a time for the program to be advertised to collection members.











/ 145