Solutions Fast Track - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید















Solutions Fast Track



Configuring Access Rules for Outbound Access through the ISA Firewall






Only protocols with a primary connection in either the outbound or send direction can be used in Access Rules. In contrast, Web Publishing Rules and Server Publishing Rules always use protocols with a primary connection with the inbound or receive direction. Access Rules control access from source to destination using outbound protocols.







On the Rule Action page you have two options: Allow or Deny. In contrast to ISA Server 2000, the new ISA firewall has the Deny option set as the default.







The ISA firewall comes with over 100 built-in Protocol Definitions you can use in your Access Rules.







There are several options you can configure in an Access Rule that aren't exposed in the New Access Rule Wizard. You can access these options by going into the Properties dialog box of the Access Rule.







When you set a schedule for an Access Rule, the rule is applied only to new connections that match the characteristics of the rule. However, active connections to which this rule applies will not be disconnected.







The Copy option is very useful if you want to avoid using the New Access Rule Wizard to create new rules. Right click an existing rule and then click Copy. Right click the same rule and then click Paste.







A common error made by ISA firewall administrators involves allowing hosts on an ISA firewall Protected Network to loop back through the firewall to access resources on the same Network where the client is located. Looping back through the ISA firewall can either reduce the overall performance of the ISA firewall, or prevent the communication from working at all.







You should always avoid looping back through the ISA firewall for resources located on the same Network as the requesting host. The solution to this problem is to configure SecureNAT, Firewall and Web Proxy clients to use Direct Access for local resources (local resources are those contained on the same ISA firewall Network as the host requesting those resources).







Blocking dangerous applications is a common task for the ISA firewall. There are a number of methods you can use to block dangerous applications.







When the MSN Messenger sends credentials to the MSN Messenger site, those credentials are also sent to the ISA firewall. If the user name and password the user uses to access the MSN Messenger site aren't the same as the credentials the user uses on the corporate network, then connection will fail.







After a client initiates a request, the ISA firewall maintains an active state in the firewall state table for the session which permits the response to return to the client. The active state permits the client to send new requests. The ISA firewall removes the active state from the state table after the session is idle for an unspecified period of time (usually a minute or two).







Using Scripts to Populate Domain Name Sets






In addition to performing the basic task of stateful filtering (which even a simple ‘hardware' firewall can do), the ISA firewall's strong application layer inspection feature set allows the ISA firewall to actually understand the protocols passing though the firewall.







The ISA firewall's stateful application inspection mechanism allows you to control access not just to 'ports', but to the actual protocols moving through those ports.







The first thing you need to do when using Import scripts is create the URL Set and the Domain Name Set in the Microsoft Internet Security and Acceleration Server 2004 management console.







As you obtain more URLs, you can add them to the same text files and run the script again. The new entries will be added without creating duplicates of the domains or URLs that are already included in the Domain Name Set or URL Set.







Creating and Configuring a Public Address Trihomed DMZ Network






Unlike the ISA Server 2000 firewall, which saw the world as 'trusted versus untrusted (LAT versus non-LAT), the ISA Server 2004 firewall sees all networks as untrusted and applies firewall policy to all connections made through the ISA Server 2004 firewall. This includes hosts connecting through a VPN remote access client or VPN gateway connection.







ISA Server 2004 multinetworking allows you to connect multiple interfaces (or multiple virtual interfaces using VLAN tagging) and have complete control over the traffic that moves between networks connected by the ISA Server 2004 firewall.







Using public addresses is sometimes necessary if you have an established DMZ segment with multiple hosts using public addresses and you do not wish to change the addressing scheme because of overhead involved with making the appropriate public DNS changes.







ISA Server 2004 firewall policy provides two methods you can use to control traffic moving through the firewall: Access Rules and Publishing Rules. Access Rules can participate in a route or NAT relationship. Publishing Rules always NAT the connection, even if you're using a public address segment and have a route relationship between the source and destination host.







One of the major drawbacks of ISA Server 2000 Web publishing scenarios was that you always received the IP address of the ISA Server 2000 firewall in the published Web servers' log files. ISA Server 2004 fixes this problem and allows you to choose to pass the original client IP address to published Web server, or to use the ISA Server 2004 firewall's IP address.







When you create a public address DMZ segment, you need to subnet your public block and assign one of the subnets to the DMZ segment. You can then bind the first valid address of a subnetted block to the DMZ interface and the first valid address of another subnetted block to the public interface.







You have to configure the upstream router with a route to the DMZ segment. You do this by configuring the router to use the IP address on the external interface of the ISA Server 2004 firewall as the gateway address for the DMZ segment's network ID. If this routing table entry is missing on the upstream router, then no primary incoming connections, and no responses to incoming connections, to and from the DMZ segment will work.







DNS is a critical issue for the ISA Server 2004 firewall because the firewall can perform proxy name resolution for Web Proxy and Firewall clients. The ISA Server 2004 firewall uses DNS settings on its NICs to query the appropriate DNS server. If you have the incorrect DNS server configuration, you can experience either slow name resolution, or no name resolution at all.







After the DMZ network is defined, the next step is to configure the route relationships between the DMZ network, the Internal network and the Internet (which is the External network, which is defined as any network for which you haven't defined a network).







The DMZ host may need to resolve Internet host names. This is the case whenever the DMZ host needs to establish new outbound connections to servers on the Internet based on the destination host name.







The Internal network DNS server needs to be able to query Internet DNS server to resolve Internet host names. We can create a DNS Access Rule that will allow the Internal network DNS server access to Internet DNS servers using the DNS protocol.







You may wish to see the original IP address of the external network host instead of the ISA Server 2004 firewall's IP address when you publish the Web server using a Access Rule. You can accomplish this goal by disabling the Web Proxy filter.








Allowing Intradomain Communications through the ISA Firewall






You can now create multiple directly attached perimeter networks and allow controlled access to and from those perimeter networks. You can now safely put domain member machines on these DMZ segments to support a variety of new scenarios, such as dedicated network services segments that enforce domain segmentation.







You might want to put an Internet facing Exchange Server or an inbound authenticating SMTP relay on a network services segment. In order to take advantage of the user database in the Active Directory, you need to join these machines to the Active Directory domain on the Internal network.







RPC services configure themselves in the Registry with a universally unique identifier (UUID), which is similar in function to a globally unique identifier (GUID). RPC UUIDs are well-known identifiers (at least to RPC services), and are unique for each service.







ISA firewall's RPC filter can dynamically control port access. The RPC filter listens to the RPC negotiations and then dynamically opens the required high port.







When you apply a Network Template to create a DMZ segment, the default route relationship is set as NAT.







/ 145