Chapter 6: Installing and Configuring the ISA Firewall Software - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید


















Chapter 6: Installing and Configuring the ISA Firewall Software




Pre-installation Tasks and Considerations





There are several key pre-installation and tasks and considerations you need to address before installing the ISA firewall software. These include:









System Requirements









Configuring the Routing Table









DNS Server Placement









Configuring the ISA Firewall's Network Interfaces









Unattended Installation









Installation via a Terminal Services Administration Mode Session







System Requirements





The following are requirements for installing the ISA firewall software:









Intel or AMD system with a 550 megahertz (MHz) or higher processor









Windows 2000 or Windows Server 2003 operating system









A minimum of 256 megabytes (MB) of memory; a practical minimum of 512 MB of memory for non-Web caching systems, and 1000 MB for Web-caching ISA firewalls









At least one network adapter; two or more network adapters are required to obtain stateful filtering and stateful application-layer inspection firewall functionality









An additional network adapter for each network connected to the ISA Server computer









One local hard-disk partition that is formatted with the NTFS file system, and at least 150 MB of available hard disk space (this is exclusive of hard-disk space you want to use for caching)









Additional disk space, which ideally is on a separate spindle, if you plan on using the ISA firewall's Web-caching feature









Special installation issues if you plan on installing the ISA firewall software on Windows 2000 include:









Windows 2000 Service Pack 4 (SP4), or later, must be installed.









Internet Explorer 6, or later, must be installed.









If you are using the Windows 2000 SP4 slipstream, you must also install the hotfix specified in article 821887, 'Events for Authorization Roles Are Not Logged in the Security Log When You Configure Auditing for Windows 2000 Authorization Manager Runtime,' in the Microsoft Knowledge Base at http://support.microsoft.com/default.aspx?scid=kb;en-us;821887.









You cannot configure the L2TP IPSec pre-shared key.









VPN Quarantine is not supported when using RADIUS policy.









All ISA Server services run using the local system account.









Another important consideration is capacity planning. While the above reflects minimal system requirements for installing and running the ISA firewall software, the ideal configuration is obtained when you size the hardware to optimize the ISA firewall software performance for your site. Table 6.1 provides basic guidelines regarding processor, memory, disk space and network adapter requirements based on Internet link speed.




































Table 6.1: Basic Processor, Memory, Disk Space and Network Adapter Requirements Based on Link Speed





Internet








Up to 7.5 Mbps








Up to 25 Mbps








Up to 45 Mbps








Notes








Processors








1








1








2








Processor type








Pentium III 550 MHz (or higher)








Pentium 4 2.0 - 3.0 GHz








Xeon 2.0 - 3.0 GHz








You can use other processors with comparable power that emulate the IA-32 instruction set. In deployments requiring only stateful filtering ('stateful packet inspection' - that is, when there is no need for higher security stateful application-layer inspection), the Pentium 4 and Xeon processor recommendations reach LAN wire speeds.








Memory








256 M B








512 M B








1 GB








With Web caching enabled, these requirements may be increased by approximately 256-512 MB.








Disk space








150 M B








2.5 GB








5 GB








This is exclusive of hard-disk space you need to use for caching and logging.








Network adapter








10/100 Mbps








10/100 Mbps








100/1000 Mbps








These are the requirements for the network adapters not connected to the Internet.








Concurrent Remote-hardaccess VPN connections








150








700








850








The Standard Edition of the ISA firewall supports a coded maximum of 1000 concurrent VPN connections.









For an exceptionally thorough and comprehensive discussion on ISA firewall performance optimization and sizing, please refer to the Microsoft document ISA Server 2004 Performance Best Practices at www.microsoft.com/technet/prodtechnol/isa/2004/plan/bestpractices.mspx.





Configuring the Routing Table





The routing table on the ISA firewall machine should be configured before you install the ISA firewall software. The routing table should include routes to all networks that are not local to the ISA firewall's network interfaces. These routing table entries are required because the ISA firewall can have only a single default gateway. Normally, the default gateway is configured on the network interface that is used for the External Network. Therefore, if you have an internal or or other Network that contains multiple subnets, you should configure routing table entries that ensure the ISA firewall can communicate with the computers and other IP devices on the appropriate subnets. The network interface with the default gateway is the one used to connect to the Internet, either direction or via upstream routers.




The routing table entries are critical to support the ISA firewall's 'network-within-a-Network' scenarios. A network within a Network is a network ID located behind a NIC on the ISA firewall that is a non-local network.




For example, Figure 6.1 is an example of a simple network-within-a-Network scenario.











Figure 6.1: Network within a Network




This small organization's IP addressing scheme uses two network IDs for the corporate network: 192.168.1.0/24 and 192.168.2.0/24. The network local to the ISA firewall's internal interface is 192.168.1.0/24. The network remote from the ISA firewall's internal interface is 192.168.2.0/24. A corporate network router separates the network and routes packets between these two network IDs.




The ISA firewall's networking model includes both of these networks as part of the same Network (Note: A capital 'N' indicates an ISA firewall-defined network). You would naturally assume that the 192.168.1.0/24 would be an ISA-defined Network since it includes an entire network ID, but you might also assume that network ID 192.168.2.0/24 would be defined as a second ISA firewall-defined Network. That would be incorrect because the ISA firewall's Network model includes all networks (all IP addresses) reachable from a specific interface on the ISA firewall as being part of the same network.




The rationale behind this is that hosts on the same ISA-defined Network do not use the ISA firewall to mediate communications between themselves. It makes no sense for the ISA firewall to mediate communications between hosts on networks IDs 192.168.1.0/24 and 192.168.2.0/24, as this would require hosts to loop back through the firewall to reach hosts to which they should directly communicate.




In this example, there should be a routing table entry on the ISA firewall indicating that in order to reach network ID 192.168.2.0/24, the connection must be forwarded to IP address 192.168.2.1 on the corporate router. You can use either the RRAS console or the command line ROUTE and netsh commands to add the routing table entry.




The ISA firewall must know the route to each internal network ID. If you find that connections are not being correctly forwarded by the ISA firewall to hosts on the corporate network, confirm that there are routing table entries on the ISA firewall indicating the correct gateway for each of those network IDs.









Tip




You can greatly simplify your ISA firewall Network definitions and routing table entries by creating a well-designed IP addressing infrastructure with proper subnet design that allows for route summarization.






DNS Server Placement





DNS server and host name resolution issues represent the most common ISA firewall connectivity problems. Name resolution for both corporate network and Internet hosts must be performed correctly. If the company's name resolution infrastructure isn't properly configured, one of the first victims of the flawed name resolution design will be the ISA firewall.




The ISA firewall must be able to correctly resolve both corporate and Internet DNS names. The ISA firewall performs name resolution for both Web Proxy and Firewall clients. If the firewall cannot perform name resolution correctly, Internet connectivity for both Web Proxy and Firewall clients will fail.




Correct name resolution for corporate network resources is also critical because the ISA firewall must be able to correctly resolve names for corporate network resources published via Web Publishing rules. For example, when you create a secure-SSL Web Publishing Rule, the ISA firewall must be able to correctly forward incoming connection requests to the FQDN used for the common name on the Web site certificate bound to the published Web server on the corporate network.




The ideal name resolution infrastructure is the split DNS. The split-DNS infrastructure allows external hosts to resolve names to publicly-accessible addresses and corporate network hosts to resolve names to privately-accessible addresses. Figure 6.2 depicts how a split-DNS infrastructure works to enhance name resolution for hosts inside your corporate network, as well as those that roam between the corporate network and remote locations on the Internet.











Figure 6.2: The Miracle of the Split-DNS Infrastructure









A user at a remote location needs to access resources on the corporate Web server, www.msfirewall.org. The www.msfirewall.org Web server is hosted on an ISA firewall-Protected Network and published using an ISA firewall Web Publishing Rule. The remote user sends a request to www.msfirewall.org, and the name is resolved by the public DNS server authoritative for the msfirewall.org domain. The name is resolved to an IP address on the external interface of the ISA firewall used by the Web listener designated in the Web Publishing Rule.









The remote Web client sends the request to the IP address on the external interface used by the Web Publishing Rules Web listener.









The ISA firewall resolves the name www.msfirewall.org to the actual IP address bound to the www.msfirewall.org Web site on the corporate network by querying the Internal network DNS server authoritative for the msfirewall.org domain.









The ISA firewall forwards the connection to the actual IP address bound to the www.msfirewall.org Web site on the corporate network.









A host on the corporate network needs to access resources on the www.msfirewall.org Web site. The corporate user sends a request to the corporate DNS server that is authoritative for the msfirewall.org domain. The corporate DNS server resolves the name www.msfirewall.org to the actual IP address bound to the www.msfirewall.org Web site on the corporate network.









The Web client on the corporate network connects directly to the www.msfirewall.org Web server. The Web client doesn't loop back to reach the www.msfirewall.org Web site on the corporate network because Web Proxy clients are configured for direct access to resources on the msfirewall.org domain.









The split-DNS infrastructure provides transparent access to resources for users regardless of their location. Users can move between the corporate network and remote locations and use the same name to reach the same corporate resources. They don't need to reconfigure their mail clients, news clients, and other applications because the same name is used to access the resources regardless of location. Any organization needing to support users that roam between the corporate network and remote locations should implement a split DNS infrastructure.




Requirements for the split-DNS infrastructure include:









A DNS server authoritative for the domain that resolves names for resources for that domain to the internal addresses used to access those resources









A DNS server authoritative for the domain that resolves names for resources in that domain to the publicly-accessible addresses used to access those resources









Remote users must be assigned DNS server addresses that forward requests for the domain to a public DNS server. This is easily accomplished using DHCP.









Corporate users must be assigned DNS server addresses that forward requests for the domain to the private DNS server. This is easily accomplished using DHCP.









The ISA firewall must be able to resolve names of published resources and all other resources hosted on a ISA firewall-Protected Network to the private address used to access that resource.









Most organizations that use the ISA firewall will have one or more internal DNS servers. At least one of those DNS servers should be configured to resolve both internal and Internet host names, and the ISA firewall should be configured to use that DNS server. If you have an internal network DNS server, you should never configure the ISA firewall's interfaces to use an external DNS server. This is a common mistake and can lead to slow or failed name resolution attempts.









Tip




Check out Jim Harrison's article Designing An ISA Server Solution on a Complex Network at http://isaserver.org/tutorials/Designing_An_ISA_Server_Solution_on_a_Complex_Networkl for information on network designs supporting ISA firewalls.






Configuring the ISA Firewall's Network Interfaces





Perhaps one of the least understood ISA firewall configuration issues is how to correctly configure the IP addressing information on the ISA firewall's network interfaces. The reason for this is that name resolution issues have the potential for being complex, and fledging firewall administrators are often too busy to get lost in the details of DNS host name and NetBIOS name resolution.




There are two main networks interface configuration scenarios:









An established name-resolution infrastructure on the corporate network protected by the ISA firewall









No established name-resolution infrastructure on the corporate network protected by the ISA firewall









Tables 6.2 and 6.3 show the correct IP addressing information for both these scenarios in dual-homed ISA firewalls.






















































Table 6.2: Established Corporate Network Name-Resolution Infrastructure





Parameters








Internal Interface








External Interface








Client for Microsoft Networks








Enabled








Disabled








File and Print Sharing for Microsoft Networks








Enabled only if the ISA firewall hosts the Firewall client share








Disabled








Network Monitor Driver








Enabled when Network Monitor is installed on the ISA firewall (recommended)








Enabled when Network Monitor is installed on the ISA firewall (recommended)








Internet Protocol (TCP/IP)




IP address








Enabled




Valid IP address on the netnetwork the internal interface is connected to








Enabled




Valid IP address on the work the external interface is connected to. Public or private depending on your network infrastructure








Subnet mask








Valid subnet mask on the network the internal interinterface is connected to








Valid subnet mask on the network the external face is connected to








Default gateway








NONE. Never configure a default gateway on any internal or DMZ interface on the ISA firewall.








IP address of upstream router (either corporate or ISP depending on next hop) allowing access to the Internet








Preferred DNS server








Internal DNS server that can resolve both internal and Internet host names








NONE. Do not enter a DNS server address on the external interface of the ISA firewall








Alternate DNS server








A second internal DNS server that can resolve both internal and Internet host names








NONE. Do not enter a DNS server address on the external interface of the ISA firewall.








Register this connection's addresses in DNS








Disabled. You should manually create entries on the Internal network DNS server to allow clients to resolve the name of the ISA firewall's internal interface.








Disabled








WINS








Enter an IP address for one more Internal network DNS server.




Especially helpful for VPN clients who want to browse Internal network servers using NetBIOS name/browser service








NONE








WINS NetBIOS setting








Top of interface list








Disable NetBIOS over TCP/IP








Interface order








Default








Under internal interface




















































Table 6.3: No Established Corporate Network Name-Resolution Infrastructure





Parameters








Internal Interface








External Interface








Client for Microsoft Networks








Enabled








Disabled








File and Print Sharing for Microsoft Networks








Enabled only if the ISA firewall hosts the Firewall client share








Disabled








Network Monitor Driver








Enabled when Network Monitor is installed on the ISA firewall (recommended)








Enabled when Network Monitor is installed on the ISA firewall (recommended)








Internet Protocol (TCP/IP)








Enabled








Enabled








Default gateway








NONE. Never configure a gateway on any internal or DMZ interface on the ISA firewall








IP address of upstream router (either corporate or ISP depending on next hop) allowing access to the Internet. May be assigned by ISP via DHCP








Preferred DNS server








External DNS server that can resolve Internet host names. Typically your ISP's DNS Server.




Note: If the external interface uses DHCP to obtain IP addressing information, do not enter a DNS server on the ISA firewall's internal interface.








None, unless assigned by ISP via DHCP.








Alternate DNS server








A second external DNS server that can resolve Internet host names Note: If the external interface uses DHCP to obtain IP addressing information from your ISP, do not enter a DNS server on the ISA firewall's internal interface.








NONE. Do not enter a DNS server address on the external interface of the ISA firewall unless assigned via DHCP by ISP.








Register this connection's addresses in DNS








Disabled








Disabled








WINS








NONE








NONE








WINS NetBIOS setting








Default








Disable NetBIOS over TCP/IP








Interface order








Top of interface list Note: If the external interface of the ISA firewall uses DHCP to obtain IP addressing information from your ISP, then do not move the internal interface to the top of the list.








Top of interface list if using ISP DHCP server to assign DNS server addresses








You should already be familiar with configuring IP addressing information for Windows Server interfaces. However, you may not be aware of how to change the interface order. The interface order is used to determine what name server addresses should be used preferentially.









Tip




You can track which interface is connected to what Network by renaming your network interfaces in the Network and dial-up connections user interface. Right-click on the network interface, and click rename. Enter the new name for the interface. For example, on a simple trihomed ISA firewall, we often name the interfaces LAN, WAN, and DMZ.








Perform the following steps to change the interface order:









Right-click My Network Places on the desktop, and click Properties.









In the Network and Dial-up Connections window, click the Advanced menu, then click Advanced Settings.









In the Advanced Settings dialog box (Figure 6.3), click the internal interface in the list of Connections on the Adapters and Bindings tab. After selecting the internal interface, click the up-arrow to move the internal interface to the top of the list of interfaces.











Figure 6.3: The Advanced Settings Dialog Box









Click OK in the Advanced Settings dialog box.







Unattended Installation





You can perform an unattended installation of the ISA firewall to simplify provisioning multiple ISA firewalls using a common installation and configuration scheme. The unintended installation depends on the proper configuration of the msiund.ini file, which contains the configuration information used by ISA firewall setup in unattended mode.









Tip




Make a special note of the last entry in Table 6.4, which shows how you can include a pre-built ISA firewall policy in your unattended installation. This allows you to automate ISA firewall installation and configuration for thousands of ISA firewalls by running a simple command line entry.








The default msisaund.ini file is located on the ISA Server 2004 CD in the \FPC directory. Table 6.4 contains the salient entries and values that are configured in the msisaund.ini file.










































Table 6.4: Entries and Values in the msisaund.ini File





Entry








Description








PIDKEY




INTERNALNETRANGES








Specifies the product key




Specifies the range of addresses in the Internal Network. Msisaund.ini must specify at least one Internet Protocol (IP) address. Otherwise, Setup fails. The syntax is:




N From1-To1,From2-To2,... FromN-ToN, where N is the number of ranges, and FromI to ToI are the starting and ending addresses in each range.








InstallDir={install_directory}








Specifies the installation directory for ISA Server. If not specified, it defaults to the first disk drive with enough space. The syntax is:




Drive:\Folder




The default folder is:




%Program Files%\Microsoft ISA Server








COMPANYNAME=Company_Name








Specifies the name of the company installing the product








DONOTDELLOGS = {0|1}








If set to 1, log files on the computer are not deleted. The default is 0.








DONOTDELCACHE = {0|1}








If set to 1, cache files on the computer are not deleted. The default is 0.








ADDLOCAL= {MSFirewall_ Management},{MSFirewall_ Services},{Message_Screener}, {Publish_Share_Directory}, {MSDE}








Specifies a list of components (delimited by commas) that should be installed on the computer.To install all the components, set ADDLOCAL=ALL.








REMOVE={MSFirewall_ Management},{MSFirewall_ Services},{Message_Screener}, {Publish_Share_Directory}, {MSDE}








Specifies a list of components (delimited by commas) that should be removed from the computer.To remove all the components, set REMOVE=ALL.








IMPORT_CONFIG_FILE = Importfile.xml








Specifies a configuration file to import








Perform the following steps to effect the unattended installation of the ISA firewall:









Modify the Msisaund.ini file.









At a command prompt, enter 





PathToISASetup\Setup.exe [/[X|R]] /V" /q[b|n] FULLPATHANSWERFILE=\"PathToINIFile\MSISAUND.INI\" 
PathToISASetup









The path to the ISA Server 2004 installation files. The path may be the root folder of the ISA Server CD-ROM or a shared folder on your network that contains the ISA Server files. 





/Q [b|n]




Performs quiet unattended setup. If you specify b, a progress bar indicates the setup process. If you specify n, no dialog boxes are displayed. 





/R




Performs unattended reinstallation 





/X




Performs unattended uninstallation 





PathToINIFile




The path to the folder containing the unattended installation information




Issues related to unattended installation of the ISA firewall include:









You must be a member of the Administrators group to perform an unattended installation.









You cannot perform an unattended installation on a computer with ISA Server 2000 installed.









The INTERNALNETRANGES property in Msisaund.ini must specify at least one Internet Protocol (IP) address range that includes one of the IP addresses of your ISA Server computer. Otherwise, Setup fails.









A sample answer file (Msisaund.ini) is provided on the CD, in the FPC folder.









For example, CD\FPC\setup.exe /v' /qn FULLPATHANSWERFILE=\'C:\MSISAUND.INI\ performs an unattended installation of ISA Server, using the Msisaund.ini file located in c:\.









The MSDE component which is installed when you install the Advanced logging feature is not properly installed when you remotely install the ISA firewall using Terminal Services in application server mode. Use Terminal Services in administration mode to properly install MSDE.







Installation via a Terminal Services Administration Mode Session





You can install the ISA firewall via an Admin mode Terminal services connection. After installing is complete, a System Policy rule is configured to allow RDP connections only from the IP address of the machine that was connected during the ISA firewall software installation. This is in contrast to the default System Policy setting when installing the ISA firewall software at the console, where any host on the Internal Network can initiate an RDP connection to the ISA firewalls Internal interface.




/ 145