لطفا منتظر باشید ...
Quick Start Configuration for ISA Firewalls
Many of you will want to install and configure the ISA firewall as quickly as possible and then wait until later to get into the details of ISA firewall configuration. What you want to do is connect the ISA firewall to your network and your Internet connection, install the software, and create a rule that allows all hosts on your private network access to all protocols on the Internet as quickly as possible. Once you're up and running and connected to the Internet, you can then read the rest of this book at your leisure and get into the interesting and powerful configuration options available to you.
To help you, we have included a quick installationl and configuration section. In order to make this a quick installation and configuration guide, we're making the following basic assumptions about your network:
You don't have any other Windows servers on your network. While you can have other Windows services running Windows network services, this guide will include instructions on how to install DNS and DHCP services on the ISA firewall. If you already have a DNS server on your network, you do not need to install a DNS server on the ISA firewall. If you already have a DHCP server on your network, you do not need to install a DHCP server on the ISA firewall.
We assume that you are installing ISA Server 2004 on Windows Server 2003.
We assume you have installed Windows Server 2003 on a computer using the default installation settings and have not added any software to the Windows Server 2003 machine.
We assume your Windows Server 2003 computer already has two Ethernet cards. One NIC is connected to the Internal Network and the other is directly connected to the Internet via a network router, or there is a DSL or cable NAT 'router' in front of it.
We assume that machines on the Internal network are configured as DHCP clients and will use the ISA Server 2004 firewall machine as their DHCP server.
We assume the Windows Server 2003 machine that you're installing the ISA Server 2004 firewall software on is not a member of a Windows domain. While we recommend that you make the ISA firewall a member of the domain later, the computer running the ISA firewall software does not need to be a domain member. We make this assumption in this quick installation and setup guide because we assume that you have no other Windows servers on your network (you may have Linux, Netware, or other vendors servers, though).
Figure 6.14 shows the ISA firewall and its relationship to the internal and external networks. The internal interface is connected to a hub or switch on the internal network, and the external interface is connected to a hub or switch that also connects to the router.
Figure 6.14: The Physical Relationships between the ISA Server 2004 Firewall and the Internal and External Networks.
We will perform the following procedures to get the ISA firewall quickly set up and configured:
Configure ISA firewall's network interfaces.
Install and configure a DNS server on the ISA Server 2004 firewall computer.
Install and configure a DHCP server on the ISA Server 2004 firewall computer.
Install and configure the ISA Server 2004 software.
Configure the internal network computers as DHCP clients.
Configuring the ISA Firewall's Network Interfaces
The ISA firewall must have at least one internal network interface and one external network interface. To correctly configure the network interfaces on the ISA firewall:
Assign IP addresses to the internal and external network interfaces.
Assign a DNS server address to the internal interface of the ISA firewall.
Place the internal interface on top of the network interface order.
IP Address and DNS Server Assignment
First, we will assign static IP addresses to the internal and external interfaces of the ISA firewall. The ISA firewall also requires a DNS server address bound to its internal interface. We will not need to use DHCP on any of the ISA firewall's network interfaces because the internal interface should always have a static IP address, and the external interface doesn't need to support a dynamic address because it's behind a router.
If your Internet account uses DHCP to assign your public address, your DSL or cable router can handle the task of obtaining and renewing the public address. In addition, if you use PPPoE or VPN to connect to your ISP, your router can also handle these tasks.In this section, we discuss:
Configuring the internal network interface, and
Configuring the external network interface
Configuring the Internal Network Interface
The internal interface must have an IP address that is on the same network ID as other computers on the directly-attached network. This address must be in the private network address range, and the address must not already be in use on the network.
We will configure the ISA firewall to use its internal interface address as its DNS server address.
The ISA firewall must have a static IP address bound to its internal interface. Perform the following steps on the Windows Server 2003 machine that will become the ISA firewall:
Right-click My Network Places on the desktop, and click Properties.
In the Network Connections window, right-click the internal network interface, and click Properties.
In the network interface's Properties dialog box, click Internet Protocol (TCP/IP), and then click Properties.
In the Internet Protocol (TCP/IP) Properties dialog box, select Use the following IP address. Enter the IP address for the internal interface in the IP address text box. Enter the subnet mask for the internal interface in the Subnet mask text box. Do not enter a default gateway for the internal interface.
Select Use the following DNS server addresses. Enter the IP address of the internal interface for the ISA firewall in the Preferred DNS server text box. This is the same number you entered in step 4 in the IP address text box. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
Click OK in the internal interface's Properties dialog box.
| Warning | If you already have a DNS server on your internal network, you should configure the ISA firewall's internal interface to use the Internal Network DNS server's IP address. You then configure the DNS server on the Internal Network to resolve Internet host names. The Microsoft DNS server will automatically resolve Internet host names as long as the Root Hints file is primed with Internet DNS Root Servers. The default Access Rule we will create at the end of this quick install and configuration section will allow the DNS server outbound access to Internet DNS servers for host name resolution. |
| Warning | Never enter a default gateway address on the internal interface. An ISA firewall can have a single interface with a default gateway. Even if you have 17 NICs installed in the same ISA firewall, only one of those NICs can be configured with a default gateway. All other gateways must be configured in the Windows routing table. |
Configuring the External Network Interface
Perform the following procedures to configure the IP addressing information on the external interface of the ISA firewall:
Right-click My Network Places on the desktop, and click Properties.
In the Network Connections window, right-click the external network interface, and click Properties.
In the network interface's Properties dialog box, click the Internet Protocol (TCP/IP) entry, and then click Properties.
In the Internet Properties (TCP/IP) Properties dialog box, select Use the following IP address. Enter the IP address for the external interface in the IP address text box. Enter the subnet mask for the external interface in the Subnet mask text box. Enter a Default gateway for the external interface in its text box. The default gateway is the LAN address of your router.
Click OK in the internal interface's Properties dialog box.
| Note | You do not need to configure a DNS server address on the external interface. The DNS server address on the internal interface is the only DNS server address required. |
Network Interface Order
The internal interface of the ISA Server 2004 computer is placed on top of the network interface list to ensure the best performance for name resolution. Perform the following steps to configure the network interface on the Windows Server 2003 machine:
Right-click My Network Places on the desktop, and click Properties.
In the Network and Dial-up Connections window, click the Advanced menu, then click Advanced Settings.
In the Advanced Settings dialog box (Figure 6.15), click the internal interface in the list of Connections on the Adapters and Bindings tab. After selecting the internal interface, click the up-arrow to move it to the top of the list of interfaces.
Figure 6.15: The Advanced Settings Dialog Box
Click OK in the Advanced Settings dialog box.
Installing and Configuring a DNS Server on the ISA Server Firewall
We will install a caching-only DNS server on the ISA firewall. This will allow machines on the Internal Network and the ISA firewall to resolve Internet host names. Note that you do not need to perform this step if you already have a DNS server on your Internal network. Even if you already have a DNS server located on the Internal network, you might consider configuring the ISA firewall computer as a caching-only DNS server and then configure computers on the internal network to use the ISA Server 2004 machine as their DNS server or configure the Internal Network computers to use your Internal Network DNS server and configure the Internal Network DNS server to use the ISA firewall as a DNS forwarder.
Installing the DNS Service
The DNS Server service is not installed by default on Windows server operating systems. The first step is to install the DNS Server service on the Windows Server 2003 machine that will be the ISA firewall.
Installing the DNS Server Service on Windows Server 2003
Perform the following steps to install the DNS Server service on a Windows Server 2003 computer:
Click Start, point to Control Panel, and click Add or Remove Programs.
In the Add or Remove Programs window, click Add/Remove Windows Components.
In the Windows Components Wizard dialog box, select Networking Services from the list of Components. Do not put a checkmark in the checkbox! After highlighting the Networking Services entry, click the Details button.
In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox, and click OK.
Click Next in the Windows Components dialog box.
Click OK in the Insert Disk dialog box. In the Files Needed dialog box, provide a path to the i386 folder from the Windows Server 2003 installation CD in the Copy files from text box, then click OK.
Click Finish on the Completing the Windows Components Wizard page.
Close the Add or Remove Programs window.
Configuring the DNS Service on the ISA Firewall
The DNS Server on the ISA firewall machine performs DNS queries for Internet host names on behalf of computers on the internal network. The DNS Server on the ISA firewall is configured as a caching-only DNS server. A caching-only DNS Server does not contain information about your public or private DNS names and domains. The caching-only DNS Server resolves Internet host names and caches the results; it does not answer DNS queries for names on your private internal network DNS zone or your public DNS zone.
| Note | DNS is an inherently complex topic. Do not be concerned if you do not completely understand the details of DNS operations. The DNS service will be correctly configured to resolve Internet host names when you complete the steps in this section. |
If you have an internal network DNS server supporting an Active Directory domain, you can configure the caching-only DNS server located on the ISA firewall to refer client requests to your internal network domain to the DNS server on your internal network. The end result is that the caching-only DNS server on the ISA Server 2004 firewall computer will not interfere with your current DNS server setup.
Configuring the DNS Service in Windows Server 2003
Perform the following steps to configure the DNS service on the Windows Server 2003 computer:
Click Start and point to Administrative Tools. Click the DNS entry.
Right-click the server name in the left pane of the console, point to View, and click Advanced.
Expand all nodes in the left pane of the DNS console.
Right-click the server name in the left pane of the DNS console, and click the Properties option.
In the server's Properties dialog box, click Interfaces. Select Only the following IP addresses. Click any IP address that is not an IP address bound to the internal interface of the computer. After highlighting the non-internal IP address, click Remove. Click Apply.
Click the Forwarders tab, as shown in Figure 6.16. Enter the IP address of your ISP's DNS server in the Selected domain's forwarder IP address list text box, and then click Add. Put a checkmark in the Do not use recursion for this domain checkbox. This Do not use recursion option prevents the DNS server on the ISA firewall from trying to perform name resolution itself. The end result is if the forwarder is unable to resolve the name, the name resolution request stops. Click Apply.
Figure 6.16: The Forwarders Tab
| Tip | If you find that name resolution performance isn't as good as you expect, disable the Forwarders entry. While a well-managed ISP DNS server can significantly improve name resolution performance, a poorly-managed ISP DNS server can slow down your ISA firewall's ability to resolve Internet host names. In most instances, you'll get better performance using your ISP's DNS server because it will have a larger cache of resolved host names than your ISA firewall's caching-only DNS server. |
Click OK in the server's Properties dialog box.
Right-click the server name; point to All Tasks, and click Restart.
Perform the following steps only if you have an internal network DNS server that you are using to support an Active Directory domain. If you do not have an internal network DNS server and you do not need to resolve internal network DNS names, then bypass the following section on configuring a stub zone.
| Warning | DO NOT perform the following steps if you do not already have a DNS server on your internal network. These steps are only for those networks already using Windows 2000 Server or Windows Server 2003 Active Directory domains. |
The first step is to create the reverse lookup zone for the Internal Network where the Internal DNS server ID is located. Right-click the Reverse Lookup Zones node in the left pane of the console, and click New Zone.
Click Next on the Welcome to the New Zone Wizard page.
On the Zone Type page, select Stub zone, and click Next.
Select Network ID. On the Reverse Lookup Zone Name page, enter into the Network ID text box the ID for the network where the internal network DNS server is located, as shown in Figure 6.17. Click Next.
Figure 6.17: The Reverse Lookup Zone Name Page
Accept the default file name on the Zone File page, and click Next.
On the Master DNS Servers page, enter the IP address of your internal network DNS server, and click Add. Click Next.
Click Finish on the Completing the New Zone Wizard page.
The next step is to create the forward lookup zone for the stub zone. Right-click the Forward Lookup Zones node in the left pane of the console, and click the New Zone command.
Click Next on the Welcome to the New Zone Wizard page.
On the Zone Type page, select Stub zone, and click Next.
On the Zone name page, type the name of your internal network domain in the Zone name text box. Click Next.
On the Zone File page (Figure 6.18), accept the default name for the zone file, and click Next.
Figure 6.18: The Zone File Page
On the Master DNS Servers page, enter the IP address of your internal network's DNS server, and click Add. Click Next.
Click Finish on the Completing the New Zone Wizard page.
Right-click the server name in the left pane of the console; point to All Tasks, and click Restart.
Configuring the DNS Service on the Internal Network DNS Server
If your organization has an existing DNS infrastructure, you should configure your Internal network's DNS server to use the DNS server on the ISA Server 2004 firewall as its DNS forwarder. This provides a more secure DNS configuration because your Internal network DNS server never communicates directly with an untrusted DNS server on the Internet.
The Internal network DNS server forwards DNS queries to the DNS server on the ISA Server 2004 firewall, and the DNS server on the ISA Server 2004 resolves the name, places the result in its own DNS cache, and then returns the IP address to the DNS server on the Internal network.
| Warning | Perform the following steps only if you have an internal DNS server and you have configured the ISA firewall's internal interface to use the internal DNS server. If you do not have an internal network DNS server, do not perform the following steps. |
Perform the following steps on the Internal network DNS server to configure it to use the DNS server on the ISA firewall as its forwarder:
Click Start and point to Administrative tools, then click DNS.
In the DNS Management console, right-click the server name in the left pane of the console, and click Properties.
In the server's Properties dialog box, click the Forwarders tab, as shown in Figure 6.19.
Figure 6.19: The Forwarders Tab
On the Forwarders tab, enter the IP address on the Internal interface of the ISA Server 2004 firewall in the Selected domain's forwarder IP address list text box. Click Add.
The IP address for the internal interface of the ISA Server 2004 firewall appears in the list of forwarder addresses (Figure 6.19).
Put a checkmark in the Do not use recursion for this domain checkbox (Figure 6.20. This option prevents the Internal network DNS server from trying to resolve the name itself in the event that the forwarder on the ISA firewall is unable to resolve the name.
Figure 6.20: Disabling Recursion
Click Apply, and then click OK.
Note that the DNS server on the Internal Network will not be able to resolve Internet host names yet. We still need to create an Access Rule allowing the DNS server access to the DNS server on the ISA firewall. We will create this Access Rule later in this section.
Installing and Configuring a DHCP Server on the ISA Server Firewall
Each of your computers needs an IP address and other information that allows them to communicate with each other and with computers on the Internet. The DHCP Server service can be installed on the ISA firewall and provide IP addressing information to Internal Network computers. We will assume that you need to use the ISA firewall as your DHCP server. If you already have a DHCP server on your network, you can bypass the following steps.
| Warning | You must not have any other DHCP servers on the network. If you have another machine on the network acting as a DHCP server, disable the DHCP service on that machine so that the ISA Server 2004 firewall acts as your only DHCP server on the network. |
Installing the DHCP Service
The DHCP Server service can be installed on Windows 2000 Server and Windows Server 2003 computers. The procedure varies slightly between the two operating systems. In this section, we discuss procedures for installing the DHCP Server service on Windows 2000 Server and Windows Server 2003 computers.
Installing the DHCP Server Service on a Windows Server 2003 Computer
Perform the following steps to install the DNS Server service on a Windows Server 2003 computer:
Click Start, point to Control Panel, and click Add or Remove Programs.
In the Add or Remove Programs window, click Add/Remove Windows Components.
In the Windows Components Wizard dialog box, select Networking Services from the list of Components. Do not put a checkmark in the checkbox! After highlighting the Networking Services entry, click the Details button.
In the Networking Services dialog box (Figure 6.21), put a checkmark in the Dynamic Host Configuration Protocol (DHCP) checkbox, and click OK.
Figure 6.21: The Networking Services Dialog Box
Click Next in the Windows Components dialog box.
Click Finish on the Completing the Windows Components Wizard page.
Close the Add or Remove Programs window.
Configuring the DHCP Service
The DHCP Server must be configured with a collection of IP addresses it can assign to machines on your private network. The DHCP Server also provides information in addition to an IP address, such as a DNS server address, default gateway, and primary domain name.
The DNS server and default gateway addresses assigned to your computers will be the IP address on the internal interface of the ISA firewall. The DHCP server uses a DHCP scope to provide this information to the internal network clients. You must create a DHCP scope that provides the correct IP addressing information to your internal network clients.
| Note | The DHCP server must not assign addresses that are already in use on your network. You must create exclusions for these IP addresses. Examples of excluded IP addresses might be static or reserved addresses assigned to print servers, file servers, mail servers, or Web servers; these are just a few examples of devices or servers that always have the same IP address assigned to them. These addresses are permanently assigned to these servers and network devices. If you don't create exclusions for these addresses, the DHCP server will perform a gratuitous ARP, and when it finds this address in use, will move it into a bad address group. In addition, a well designed network will group computers into contiguous blocks of IP addresses. For example, all computers that need static addresses would be placed into one contiguous block. |
Perform the following steps to configure the Windows Server 2003 DHCP Server with a scope that will assign the proper IP addressing information to the internal network clients:
| Warning | If you already have a DHCP server on your corporate network, do not perform the following steps, and do not install the DHCP server on the ISA firewall. Only install the DHCP server on the ISA firewall if you do not have a DHCP server on your internal network. |
Click Start and point to Administrative Tools. Click DHCP.
Expand all nodes in the left pane of the DHCP console. Right-click the server name in the left pane of the console, and click New Scope.
Click Next on the Welcome to the New Scope Wizard page.
Type SecureNAT Client Scope in the Name text box on the Scope Name page. Click Next.
On the IP Address Range page, enter the first IP address and the last IP address for the range in the Start IP address and End IP address text boxes. For example, if you are using the network ID 192.168.1.0 with a subnet mask of 255.255.255.0, then enter the start IP address as 192.168.1.1 and the end IP address as 192.168.1.254. Click Next.
On the Add Exclusions page, enter the IP address of the internal interface for the ISA firewall in the Start IP address text box, and click Add. If you have servers or workstations on the network that have statically-assigned IP addresses that you do not want to change, add those addresses to the exclusions list. Click Next after adding all addresses you want to exclude from the DHCP scope.
Accept the default value on the Lease Duration page, and click Next.
On the Configuring DHCP Options page, select Yes, I want to configure these options now, and click Next.
On the Router page, enter the IP address of the internal interface for the ISA firewall, and click Add. Click Next.
On the Domain Name and DNS Servers page, enter the IP address of the internal interface for the ISA firewall in the IP address text box, and click Add. If you have an Active Directory domain on the Internal network, enter the name of your Internal network domain in the Parent domain text box. Do not enter a domain name in the Parent domain text box unless you have an existing Active Directory domain on the internal network. Click Next.
Do not enter any information on the WINS Servers page unless you already have a WINS server on the internal network. If you already have a WINS server, enter that IP address in the IP address text box. Click Next.
Select Yes, I want to activate this scope now on the Activate Scope page, and click Yes.
Click Finish on the Completing the New Scope Wizard page.
Installing and Configuring the ISA Server 2004 Software
We're now ready to install the ISA firewall software.
The following steps demonstrate how to install the ISA firewall software on a dual-homed Windows Server 2003 machine:
Insert the ISA Server 2004 installation media into the CD-ROM drive or connect to a network share hosting the ISA Server 2004 installation files. If the installation routine does not start automatically, double-click the isaautorun.exe file in the root of the installation files tree.
On the Microsoft Internet Security and Acceleration Server 2004 page, click Review Release Notes and read the notes. The release notes contain useful information about important issues and configuration options. After reading the release notes, click Read Setup and Feature Guide. You don't need to read the entire guide right now, but you may want to print it to read later. Click Install ISA Server 2004.
Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.
Select I accept the terms in the license agreement on the License Agreement page. Click Next.
On the Customer Information page, enter your name and the name of your organization in the User Name and Organization text boxes. Enter your serial number in the Product Serial Number text box. Click Next.
On the Setup Type page, select the Custom option. If you do not want to install the ISA firewall software on the C: drive, click the Change button to change the location of the program files on the hard disk. Click Next.
On the Custom Setup page, choose the components to install. By default, the Firewall Services, ISA Server Management, and Firewall Client Installation Share are installed. The Message Screener, which is used to control spam and file attachments from entering and leaving the network, is not installed by default. You must install the IIS 6.0 SMTP service on the ISA Server 2004 firewall computer before you install the Message Screener. We want to install the Firewall Client Installation Share so that we have the option later to install the Firewall client on Internal Network client machines. Click the 'X' to the left of the Firewall Client Installation Share option and click This feature, and all subfeatures, will be installed on the local hard drive, as shown in Chapter 5 on ISA Server client types. Click Next.
Figure 6.22: The Custom Setup Page
On the Internal Network page, click Add. The Internal network is different from the Local Address Table (LAT) used by ISA Server 2000. The Internal network contains trusted network services with which the ISA firewall must communicate. Examples of such services include Active Directory domain controllers, DNS, DHCP, terminal services client management workstations, and others. The firewall System Policy uses the Internal network definition in many of its System Policy Rules.
On the Internal Network setup page, click the Select Network Adapter button.
In the Configure Internal Network dialog box, remove the checkmark from the Add the following private ranges… checkbox. Leave the checkmark in the Add address ranges based on the Windows Routing Table checkbox, as shown in Figure 6.23. Put a checkmark next to the adapter connected to the Internal network. In this example we have renamed the network interfaces so that the interface name reflects its location. Click OK.
Figure 6.23: The Select Network Adapter Page
Click OK in the dialog box informing you that the Internal network was defined, based on the Windows routing table.
Click OK in the Internal network address ranges dialog box.
Click Next on the Internal Network page.
Do not check Allow computers running earlier versions of Firewall Client software to connect. This option requires that you use the new ISA firewall's Firewall client. Previous versions of the Firewall client (those included with Proxy 2.0 and ISA Server 2000) will not be supported. It also allows the Firewall client to send user credentials over an encrypted channel to the ISA firewall and allows the Firewall client to transparently authenticate with the ISA firewall. Click Next.
On the Services page, note that the SNMP and IIS Admin Service will be stopped during installation. If the Internet Connection Firewall (ICF) / Internet Connection Sharing (ICF) and/or IP Network Address Translation services are installed on the ISA Server 2004 machine, they will be disabled, as they conflict with the ISA Server 2004 firewall software.
Click Install on the Ready to Install the Program page.
On the Installation Wizard Completed page, click Finish.
Click Yes on the Microsoft ISA Server dialog box informing that you must restart the server.
Log on as an Administrator after the machine restarts.
Click Start and point to All Programs. Point to Microsoft ISA Server, and click ISA Server Management. The Microsoft Internet Security and Acceleration Server 2004 management console opens and displays the Welcome to Microsoft Internet Security and Acceleration Server 2004 page.
Configuring the ISA Firewall
Now we're ready to configure Access Policy on the ISA firewall. We need to create the following five Access Rules:
A rule that allows Internal Network clients access to the DHCP server on the ISA firewall
A rule that allows the ISA firewall to send DHCP messages to the hosts on the Internal network
A rule that allows the Internal Network DNS server to use the ISA firewall as its DNS server. Create this rule only if you have an Internal Network DNS server.
A rule that allows Internal Network clients access to the caching-only DNS server on the ISA firewall. Use this rule if you do not have a DNS server on the Internal Network, or if you have a DNS server on the Internal Network and you want to use the ISA firewall as a caching-only DNS server with a stub zone pointing to your Internal Network domain.
An 'All Open' rule allowing Internal Network clients access to all protocols and sites on the Internet
Tables 6.8 through 6.12 show the details of each of these rules.
Name | DHCP Request to Server |
|---|---|
Action | Allow |
Protocols | DHCP (request) |
From | Anywhere |
To | Local Host |
Users | All Users |
Schedule | Always |
Content Types | All content types |
Purpose | This rule allows DHCP clients to send DHCP requests to the DHCP server installed on the ISA firewall. |
Name | DHCP Reply from Server |
|---|---|
Action | Allow |
Protocols | DHCP (reply) |
From | Local Host |
To | Internal |
Users | All Users |
Schedule | Always |
Content Types | All content types |
Purpose | This rule allows the DHCP server on the ISA firewall to reply to DHCP requests made by Internal network DHCP clients. |
Name | Internal DNS Server to DNS forwarder |
|---|---|
Action | Allow |
Protocols | DNS |
From | DNS Server* |
To | Local Host |
Users | All Users |
Schedule | Always |
Content Types | All content types |
Purpose | This rule allows the Internal network DNS server to forward queries to the DNS forwarder on the ISA Server 2004 firewall machine. Create this rule only if you have an Internal Network DNS server. |
* User defined
Name | Internal Network to DNS Server |
|---|---|
Action | Allow |
Protocols | DNS |
From | Internal |
To | Local Host |
Users | All Users |
Schedule | Always |
Content Types | All content types |
Purpose | This rule allows Internal network clients access to the caching-only DNS server on the ISA firewall. Create this rule if you do not have an Internal Network DNS server, or if you have decided that you want to use the caching-only DNS server as your caching-only forwarder for all Internal Network clients, even when you have an Internal Network DNS server. |
Name | All Open |
|---|---|
Action | Allow |
Protocols | All Outbound Traffic |
From | Internal |
To | External |
Users | All Users |
Schedule | Always |
Content Types | All content types |
Purpose | This rule allows Internal network clients access to all protocols and sites on the Internet. |
| Warning | This last rule, All Open, is used only to get you up and running. This All Open rule allows you to test the ISA firewall's basic Internet connection ability, but does not provide any outbound access control in a manner similar to most hardware packet-filter firewalls. The ISA firewall provides advanced inbound and outbound protection, so you want to be sure to disable the All Open rule and create per user/group, per protocol and per site rules after your basic Internet connections through the ISA firewall are successful. |
In addition to these Access Rules, you should configure the firewall System Policy to allow DHCP replies from External network DHCP servers.
DHCP Request to Server Rule
Perform the following steps to create the DHCP Request to Server rule:
In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click Firewall Policy.
In the Firewall Policy node, click the Tasks tab in the Task pane. On the Task pane, click Create a New Access Rule.
On the Welcome to the New Access Rule Wizard page, enter DHCP Request to Server in the Access Rule name text box. Click Next.
On the Rule Action page, select Allow, and click Next.
On the Protocols page, select the Selected protocols option from the This rule applies to list, and click Add.
In the Add Protocols dialog box (Figure 6.24), click the Infrastructure folder. Double-click the DHCP (request) entry, and click Close.
Figure 6.24: The Add Protocols Dialog Box
Click Next on the Protocols page.
On the Access Rule Sources page, click Add.
In the Add Network Entities dialog box, click the Computer Sets folder. Double-click the Anywhere entry, and click Close.
Click Next on the Access Rule Sources page.
On the Access Rule Destinations page, click Add.
In the Add Network Entities dialog box, click the Networks folder, and double-click Local Host. Click Close.
Click Next on the Access Rule Destinations page.
On the User Sets page, accept the default entry, All Users, and click Next.
On the Completing the New Access Rule Wizard page, review the settings, and click Finish.
DHCP Reply from Server Rule
Perform the following steps to create the DHCP Reply from Server rule:
In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click Firewall Policy.
In the Firewall Policy node, click the Tasks tab in the Task pane. On the Task pane, click Create a New Access Rule.
On the Welcome to the New Access Rule Wizard page, enter DHCP Reply from Server in the Access Rule name text box. Click Next.
On the Rule Action page, select Allow, and click Next.
On the Protocols page, select the Selected protocols option from the This rule applies to list, and click Add.
In the Add Protocols dialog box, click the Infrastructure folder. Double-click DHCP (reply), and click Close.
Click Next on the Protocols page.
Figure 6.25: The Protocols Page
On the Access Rule Sources page, click Add.
In the Add Network Entities dialog box, click the Networks folder. Double-click the Local Host entry, and click Close.
Click Next on the Access Rule Sources page.
On the Access Rule Destinations page, click Add.
In the Add Network Entities dialog box, click the Networks folder, and then double-click the Internal entry. Click Close.
Click Next on the Access Rule Destinations page.
On the User Sets page, accept the default entry, All Users, and click Next.
On the Completing the New Access Rule Wizard page, review the settings, and click Finish.
Internal DNS Server to DNS Forwarder Rule
Perform the following steps to create the Internal DNS Server to DNS Forwarder rule:
In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click Firewall Policy.
In the Firewall Policy node, click the Tasks tab in the Task pane. On the Task pane, click Create a New Access Rule.
On the Welcome to the New Access Rule Wizard page, enter Internal DNS Server to DNS Forwarder in the Access Rule name text box. Click Next.
On the Rule Action page, select Allow, and click Next.
On the Protocols page, select the Selected protocols option from the This rule applies to list, and click Add.
In the Add Protocols dialog box, click the Infrastructure folder. Double-click the DNS entry, and click Close.
Click Next on the Protocols page.
On the Access Rule Sources page, click Add.
In the Add Network Entities dialog box (Figure 6.26), click the New menu, then click Computer.
Figure 6.26: Selecting the Computer Command
In the New Computer Rule Element dialog box, enter Internal DNS Server in the Name text box. Enter 10.0.0.2 in the Computer IP Address text box. Click OK.
In the Add Network Entities dialog box (Figure 6.27), click the Computers folder, and double-click Internal DNS Server. Click Close.
Figure 6.27: Selecting the New Computer Object
Click Next on the Access Rule Sources page.
On the Access Rule Destinations page, click Add.
In the Add Network Entities dialog box, click the Networks folder, and double-click Local Host. Click Close.
Click Next on the Access Rule Destinations page.
On the User Sets page, accept the default entry, All Users, and click Next.
On the Completing the New Access Rule Wizard page, review the settings, and click Finish.
Internal Network to DNS Server
Perform the following steps to create the Internal Network to DNS Server rule:
In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click Firewall Policy.
In the Firewall Policy node, click the Tasks tab in the Task pane. On the Task pane, click Create a New Access Rule.
On the Welcome to the New Access Rule Wizard page, enter Internal Network to DNS Server in the Access Rule name text box. Click Next.
On the Rule Action page, select Allow, and click Next.
On the Protocols page, select the Selected protocols option from the This rule applies to list, and click Add.
In the Add Protocols dialog box, click the Common Protocols folder. Double-click the DNS entry, and click Close.
Click Next on the Protocols page.
On the Access Rule Sources page, click Add.
In the Add Network Entities dialog box, click the Networks folder. Double-click Internal, and click Close.
Click Next on the Access Rule Sources page.
On the Access Rule Destinations page, click Add.
In the Add Network Entities dialog box, click the Networks folder, and double-click Local Host. Click Close.
Click Next on the Access Rule Destinations page.
On the User Sets page, accept the default entry, All Users, and click Next.
On the Completing the New Access Rule Wizard page, review the settings, and click Finish.
The All Open Rule
Perform the following steps to create the All Open rule:
In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click Firewall Policy.
In the Firewall Policy node, click the Tasks tab in the Task pane. On the Task pane, click Create a New Access Rule.
On the Welcome to the New Access Rule Wizard page, enter All Open in the Access Rule name text box. Click Next.
On the Rule Action page, select Allow, and click Next.
On the Protocols page, select All outbound traffic from the This rule applies to list, and click Next.
Click Next on the Protocols page.
On the Access Rule Sources page, click Add.
In the Add Network Entities dialog box, click the Networks folder. Double-click Internal, and click Close.
Click Next on the Access Rule Sources page.
On the Access Rule Destinations page, click Add.
In the Add Network Entities dialog box, click the Networks folder, and double-click External. Click Close.
Click Next on the Access Rule Destinations page.
On the User Sets page, accept the default entry, All Users, and click Next.
On the Completing the New Access Rule Wizard page, review the settings, and click Finish.
Your Access Rule should look like those in Figure 6.28. Note that in this example, you do not need to reorder the rules. When you start creating advanced Access Rules to control inbound and outbound access, you may need to reorder rules to obtain the desired results.
Figure 6.28: The Resulting Firewall Policy
Configuring the Internal Network Computers
Internal Network computers are set up as ISA Server SecureNAT clients. A SecureNAT client is a machine with a default gateway address set to an IP address of a network device that routes Internet-bound requests to the internal IP address of the ISA Server 2004 firewall.
When Internal network computers are on the same network ID as the internal interface of the ISA firewall, the default gateway of the internal network computers is set as the internal IP address on the ISA firewall machine. This is how the DHCP scope on the DHCP server located on the ISA firewall is configured.
We will configure internal network computers that are on the same network ID as the internal interface of the ISA Server 2004 firewall and clients that may be located on network IDs that are not on the same network ID. This latter configuration is more common on larger networks that have more than one network ID on the internal network.
| Note | The 'network ID' is part of the IP address. Network IDs are part of advanced TCP/IP networking concepts. Typically, SOHO networks have only one Network ID and you do not need to be concerned about knowing your network ID. If you have a router anywhere behind the ISA firewall, you need to understand network IDs. |
Configuring Internal Clients as DHCP Clients
DHCP clients request IP addressing information from a DHCP server. In this section, you will find out how to configure the Windows 2000 (Server or Professional) client as a DHCP client. The procedure is similar for all Windows-based clients. Perform the following steps to configure the internal network client and a DHCP client:
Right-click My Network Places on the desktop, and click Properties.
In the Network Connections window, right-click the external network interface, and click Properties.
In the network interface's Properties dialog box, click the Internet Protocol (TCP/IP) entry, and click Properties.
In the Internet Protocol (TCP/IP) Properties dialog box (Figure 6.29), select Obtain an IP address automatically.
Figure 6.29: The Internet Protocol (TCP/IP) Properties Dialog Box
Select Use the following DNS server addresses. Enter the IP address of the internal interface in the Preferred DNS server text box. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
Click OK in the internal interface's Properties dialog box.
In figure 6.30, you can see a Network Monitor trace of a Windows XP client sending a request to the caching-only DNS server on the ISA firewall for an Internal Network domain for which we created a stub zone. The following eight frames are in the trace:
The client sends a reverse lookup query to the DNS server for the IP address of the DNS server itself. This allows the client to ascertain the name of the DNS server.
The caching-only DNS server on the ISA firewall responds to the Windows XP client with the answer to the query made in frame #1.
The Windows XP client sends a query to the caching-only DNS server on the ISA firewall for www.msfirewall.org. The msfireall.org domain is the name of the Internal Network domain.
An ARP broadcast is made by the ISA firewall to discover the IP address of the DNS server authoritative for the Internal Network domain.
The DNS server returns its IP address to the ISA firewall in an ARP broadcast.
The ISA firewall sends a query to the Internal DNS server to resolve the name of the Internal domain host.
The Internal DNS server returns the answer to the query to the ISA firewall.
The ISA firewall returns the response to the Windows XP client that made the original request.
Figure 6.31 shows the domains cached on the caching-only DNS server located on the ISA firewall. You can enable the Advanced View in the DNS console and see the Cached Lookups node. After expanding the .(root) folder, you can see the domains for which the DNS server has cached DNS query information. If you double-click on any of the domains, you will see the actual resource records that the DNS server has cached.
Figure 6.30: DNS Queries in Network Monitor Trace
Figure 6.31: DNS Domains Cached by the Caching-only DNS Server on the ISA Firewall
