لطفا منتظر باشید ...
Lesson 2 Configuring ISA Server Dial-up Connections
ISA Server can provide firewall and caching benefits for your network even when you do not have a dedicated Internet connection. You may use ISA Server to secure a single dial-up connection to your ISP and to share that connection among all computers on your network.
After this lesson, you will be able to
Create dial-up entries in ISA Server
Provide complete and secure Internet access to your ISA Server clients through a dial-up connection on your ISA Server computer
Configure your ISA Server computer for dial-on-demand
Estimated lesson time: 30 minutes
Configuring Dial-up Entries
To configure dial-up entries in ISA Server, you need to create policy elements in ISA Management for dial-up connections. This procedure is not required for Web Proxy and firewall clients to use and share a dial-up connection on your ISA Server computer. However, if through a dial-up connection you want to use non-Web services such as Post Office Protocol (POP3) and Network News Transfer Protocols (NNTP) on clients that do not have Firewall Client installed, you need to configure a dial-up entry and then configure the network to route requests using that dial-up entry.
Besides providing Internet connectivity to SecureNAT clients, creating dial-up entries allows you to apply connection-specific rules and policies to dial-up connections in ISA Server. By creating dial-up entries, you can specify how the ISA Server computer connects to the Internet with those dial-up connections.
Finally, only by configuring dial-up entries can you enable dial-on-demand for Web Proxy and firewall clients.
Each dial-up entry includes the following information:
The name of the dial-up connection that was previously configured for the remote access server on all the servers in the array
The user name and password for a user who has permissions to access the Internet Service Provider via the dial-up connection
You can configure dial-up entries only for network dial-up connections that are configured on all the ISA Server computers in an array. See Windows 2000 Help for instructions on creating network dial-up connections.
Although you may create multiple dial-up entries, only one dial-up entry can be active for an array. The active dial-up entry is used whenever ISA Server dials out automatically to the Internet to service a client request.
Follow these steps to create a dial-up entry:
Open the ISA Management console.
Expand the console, expand Servers And Arrays, expand MyArray, and then expand the Policy Elements node.
Right-click Dial-up Entries, point to New, then click Dial-Up Entry.The New Dial-up Entry dialog box appears.
In the Name text box, type the name of the dial-up entry.
(Optional) In the Description box, type a description for the dial-up entry.
In Use The Following Network Dial-Up Connection text box, type or select the name of an existing Windows 2000 network dial-up connection, and then click Set Account.
In the User text box, type the user name supplied by your ISP.
In the Password and Confirm Password text boxes, type the user's password.
Click OK.The New Dial-up Entry dialog box appears.
Click OK.
Before you configure dial-up entries in ISA Server, you should also be aware of the following:
The network dial-up connection to be specified in the dial-up entry must already be configured on each of the array's member servers.
The dial-up entry that is created becomes the active dial-up entry. This dial-up entry will be used for routing rules and for firewall chaining.
The user name and password you specify should be the same user name and password that you would type to manually establish a network dial-up connection.
If you have more than one dial-up entry, follow these steps to set an active dial-up entry:
Open the ISA Management console.
Click the View menu and then click Advanced.
Expand the console tree and then expand the Policy Elements node.
Click Dial-up Entries.
In the details pane, right-click the applicable dial-up entry and then click Set As Active Entry.
Note also the following points about the active dial-up entry:
You cannot delete the active dial-up entry.
When you set an active dial-up entry, all existing dial-up connections are disconnected if ISA Server was used to dial those connections.
Dial-on-Demand
You can configure ISA Server to use a dial-up entry to dial out to the Internet for simple routing or for active caching.
Routing. When a client requests an object, if the route for the client request requires establishing a dial-up connection, and if access policy allows the client request, ISA Server will dial out to the Internet using the active dial-up entry.
Active caching. If active caching is enabled, ISA Server dials out to the Internet to retrieve the frequently-accessed files.
In addition, ISA Server dials out to the Internet when ISA Server cannot definitively determine whether access policy allows a client request. This happens, for example, when access policy rules specify a destination by name, while the client specifies the computer by IP address. If a routing rule indicates that a dial-up connection should be established for the request, ISA Server dials out to the Internet either to resolve the name of the computer requested by the client or to do a reverse look-up. ISA Server then checks the access policy rules again to determine if the request is allowed.
Only Web Proxy and firewall clients can be configured for dial-on-demand. For SecureNAT clients to connect to the Internet, a dial-up connection must already be established.
Configuring Dial-on-Demand
You can configure ISA Server to dial out to the Internet when necessary, such as when a requested object is not in the ISA Server cache.
Follow these steps to enable dial-on-demand:
Create a network dial-up connection. See Windows 2000 Help for instructions on creating network dial-up connections.
Create a dial-up entry in ISA Management.
Enable dialing for the Firewall service (as described below). This step is required only for firewall clients and not Web Proxy clients.
Enable automatic dial-out for routing (as described below).
Verify that a default gateway is not configured on any of the internal interface cards on the ISA Server computers in the array.
Follow these steps to enable dialing for the Firewall service:
In the console tree of ISA Management, right-click the Network Configuration node, and then click Properties. (The Network Configuration properties sheet is shown in Figure 3.3.)
On the Firewall Chaining tab, click the Use Primary Connection radio button.
Click the Use Dial-up Entry check box.
Figure 3.3 Routing via a dial-up entry
Once you have configured the Firewall service to use the dial-up entry to resolve external requests, you can configure the Firewall service to dial out to the Internet automatically through this dial-up entry.
Follow these steps to enable automatic dial-out for routing:
In the console tree of ISA Management, click Routing.
In the details pane, right-click the specific routing rule you want to configure and then click Properties. This properties dialog box is shown in Figure 3.4.
On the Action tab, click the Retrieving Them Directly From The Specified Destination radio button.
On the Action tab, click the Use Dial-Up Entry For Primary Route check box.
Figure 3.4 Configuring a routing rule for Automatic Dial-out
Limiting ISA Server Dial-Out to External Sites
You can restrict ISA Server to dial out to the Internet only when necessary by configuring the LDT so that it includes the names of all internal computers. Clients use the LDT, configured in ISA Management, to determine whether a name resolution request should be performed directly or via ISA Server. This prevents ISA Server from dialing out to an external DNS server, only to determine that the requested computer is actually internal. Firewall clients maintain a local copy of the LDT, which is updated regularly, on their computer. Note that the LDT is checked only for requests from firewall clients.
Closing Dial-up Connections
After ISA Server dials out to the Internet, the connection is maintained until one of the following occurs:
Another dial-up entry is made active.
The active dial-up entry is modified so that it specifies a different network dial-up connection.
The dial-up entry for firewall chaining is disabled.
The primary route becomes available (if the dial-up connection is designated as the backup route).
The Firewall service stops.
Practice: Configuring a Dial-up Entry
In this exercise, you view session status of a firewall client, disable the Firewall Client software, and note the difference in behavior.
To disable firewall client
Log on to Domain01 from both Server1 and Server2 as Administrator.
On Server2, click the Start button and click Run.The Run dialog box appears.
Type cmd and click OK.
A command prompt appears.
At the command prompt, type nslookup www.microsoft.com and press Enter.You will receive a response informing you of the IP addresses associated with www.microsoft.com by your preferred DNS server.
On Server1, open ISA Management, expand the MyArray node, and then expand the Monitoring node.
Click the Sessions folder.
Click the View menu and then click Advanced.
Right-click the details pane and then click Refresh.
Find Server2's current Internet session listed in the details pane. Notice that the session type is listed as Firewall Session, the user name as Administrator, and the Client Computer as Server2. When the Firewall Client software is enabled, the user account name and client computer name are provided with the session information.
Switch to Server2 and disable the Firewall Client software. (You can disable it by double-clicking the Firewall Client icon in Control Panel, clearing the Enable Firewall Client check box in the Firewall Client Options dialog box, and then clicking OK.)
Activate the command prompt window.
At the command prompt, type nslookup www.microsoft.com and press Enter.You will receive a message informing you that the DNS request has timed out. This occurs because the Server2 computer is now a SecureNAT client, and you have not yet configured SecureNAT clients to access the Internet through an ISA Server dial-up connection.
Exercise 2: Creating a New Dial-up Entry
Perform this exercise on Server1. Creating a dial-up entry policy element is the first step in allowing SecureNAT clients to access the Internet through an ISA Server dial-up connection.
To create a dial-up entry policy element
Open the ISA Management console.
Expand the console tree and then expand the Policy Elements node.
Right-click the Dial-up Entries node, point to New, and then click Dial-up Entry.The New Dial-up Entry dialog box appears.
In the Name text box, type MyDialUp.
Click the Select button.The Select Network Dial-up Connection dialog box appears.
In the Network Dial-up Connection box, select the available dial-up connection, and then click OK.
On the New Dial-up Entry dialog box, click Set Account.The Set Account dialog box appears.
In the appropriate text boxes, type the user name and password assigned by your ISP.
Click OK.
On the New Dial-up Entry dialog box, click OK.MyDialUp now appears in the details pane of the ISA Management console when the Dial-up Entries folder is selected.
Exercise 3: Configuring ISA Server to Route Through the Dial-up Entry
This exercise enables SecureNAT clients to route Internet requests through the active dial-up entry. Perform these steps on Server1.
To enable SecureNAT clients
In the console tree of ISA Management, locate and right-click the Network Configuration node, and then click Properties. The Network Configuration Properties dialog box appears.
On the Firewall Chaining tab, verify that the Use Primary Connection radio button is selected.
Click the Use Dial-up Entry check box and click OK.In the next exercise, you restart the Firewall service so that the new routing configuration takes effect.
Exercise 4: Restarting the Firewall Service
Whenever you make changes to the routing configuration, you need to restart the Firewall and/or Web Proxy services for the changes to take effect. Perform the following steps on Server1.
To restart the Firewall and/or Web Proxy services
In the console tree of ISA Management, locate and expand the Monitoring node.
Click the Services node.
In the details pane, right-click the Firewall service and click Stop.
When the Firewall service has fully stopped, right-click the Firewall service again and click Start. Wait until the Firewall service icon turns green before proceeding to the next exercise.
Exercise 5: Viewing SecureNAT Session Information
In this exercise, you connect to the Internet from a SecureNAT client and then view the session information in ISA Server.
To connect to the Internet from a SecureNAT client
On Server2, open a command prompt.
At the command prompt, type nslookup www.microsoft.com and press Enter.You will receive a response indicating that your nslookup is successful, even though Server2 is now a SecureNAT client.
On Server1, open ISA Management.
In the console tree, click the Sessions folder.
Right-click the details pane and click Refresh.
Find Server2's current Internet session listed in the details pane. Notice that the session type is listed as Firewall Session, the user name is blank, and the client computer is noted only by the IP address of 192.168.0.2. SecureNAT clients do not provide user account name and client computer name information with the session information.
On Server2, re-enable the Firewall Client software.
Lesson Summary
To ensure complete and secure Internet access for your ISA Server clients through a dial-up connection, you will need to create a dial-up entry policy element and configure the network to route requests to upstream servers using that dial-up entry. Configuring a dial-up entry in ISA Server allows SecureNAT client computers to access the Internet through non-Web connections, and it allows you to apply connection-specific rules to any policies you configure in ISA Server.
Creating dial-up entries also allows you the option of configuring dial-on-demand. This feature allows your ISA Server computer to initiate a dial-up connection to the Internet automatically whenever a Web Proxy or firewall client on the local network requests a remote host.
